alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:13;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:10;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:14;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR freak 1.0 runtime detection - icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR globalkiller1.0 runtime detection - notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6331; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR y3k 1.2 runtime detection - icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:from_server,established; flowbits:isset,nova_cgi_cts; content:"|23| Nova CGI Notification Script"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; content:"|0D 0A|<title>ItAdEm Trojan Server</title>|0D 0A|"; nocase; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR trojan-spy.win32.delf.uv runtime detection"; flow:from_server,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; content:"[|00|u|00|p|00|d|00|a|00|t|00|e|00|]"; content:"[|00|p|00|o|00|p|00|w|00|i|00|n|00|]"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949; classtype:trojan-activity; sid:13878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR td.exe runtime detection - download"; flow:to_server,established; content:"/download.php"; nocase; content:"id="; distance:0; nocase; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16096; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR win32.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; reference:url,www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.jwh; classtype:trojan-activity; sid:16092; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Delf Trojan POST attempt"; flow:to_server,established; content:"tip"; nocase; content:"&cli"; distance:0; nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon initial beacon"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|01 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon keepalive message"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|03 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHAT mIRC IRC URL buffer overflow attempt"; flow:to_client,established; content:"src='irc|3A|//"; pcre:"/^\S{999}/R"; reference:bugtraq,8819; reference:cve,2003-1336; classtype:attempted-user; sid:16579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Microsoft XML parser IIS WebDAV attack attempt"; flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*?){15}/"; reference:bugtraq,11384; reference:cve,2003-0718; classtype:denial-of-service; sid:12043; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"-100"; fast_pattern:only; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:16214; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; file_data; content:"|FF D8 FF|"; content:"|FF ED|"; content:"8BIM"; within:4; distance:16; nocase; pcre:"/\xff\xed.{16}8BIM\x04(\x09|\x0c)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging small offset malformed tiff"; flow:to_client,established; content:"II*|00|"; byte_jump:4,0,relative,little; content:"|02 01 03 00|"; distance:-8; byte_test:4,>,6,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12633; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; flowbits:isset,http.tiff; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12634; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QuickTime STSD atom overflow attempt"; flow:established,to_client; flowbits:isset,http.quicktime; content:"stsd"; byte_test:4,>,0,4,relative,big; byte_test:4,<,12,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26341; reference:cve,2007-3750; classtype:attempted-user; sid:12746; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Skype skype4com URI handler memory corruption attempt"; flow:established,to_client; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QTIF malformed idsc atom"; flow:established,to_client; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0033; classtype:attempted-user; sid:13517; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe PDF ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; classtype:attempted-user; sid:16578; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT  BEA WebLogic jsessionid buffer overflow attempt"; flow:to_server,established; content:"JSESSIONID="; nocase; isdataat:500,relative; pcre:"/^Cookie\x3a[^\n]*[\x3b\x3a]\s*JSESSIONID=[^\n\x3b=]{500}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33177; reference:cve,2008-5457; classtype:attempted-admin; sid:15010; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17404; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17406; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17405; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT osCommerce categories.php Arbitrary File Upload And Code Execution"; flow:to_server,established; content:"/admin/categories.php/login.php?cPath=&action=new_product_preview"; fast_pattern:only; reference:bugtraq,44995; classtype:web-application-attack; sid:18678; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Sun Java Applet2ClassLoader Remote Code Execution"; flow:from_server,established; file_data; content:"codebase|3D 22|file|3A 2F 2F|"; nocase; content:"code|3D 22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Visio version number anomaly"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0934; reference:url,www.microsoft.com/technet/security/bulletin/MS07-030.mspx; classtype:misc-activity; sid:11836; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MISC HP DDMI Agent spoofing - command execution"; flow:established,to_server; content:"SOAPMethodName|3A| urn|3A|aiagent|23|executeProcess"; nocase; metadata:policy security-ips drop; reference:bugtraq,35250; reference:cve,2009-1419; classtype:attempted-admin; sid:18397; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,wav_file.request; content:"RIFF"; content:"WAVEfmt"; distance:4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,realmedia_file.request; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,realplayer.playlist; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,aiff_file.request; content:"COMM"; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .rec download attempt"; flow:from_server,established; file_data; content:".rec|00|"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19128; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .r1m download attempt"; flow:from_server,established; file_data; content:".r1m"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19129; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Visio file download"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A|"; fast_pattern:only; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; fast_pattern:only; classtype:policy-violation; sid:12391; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; classtype:policy-violation; sid:12425; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Crystal Reports file download"; flow:to_client,established; flowbits:isset, rpt.download; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; fast_pattern:only; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,www.microsoft.com/technet/security/bulletin/ms07-052.mspx; classtype:policy-violation; sid:12456; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AIM Express usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; fast_pattern:only; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Habbo chat client successful login"; flow:to_client,established; content:"document.habboLoggedIn = true"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:15170; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY attempted download of a PDF with embedded Flash"; flow:to_client,established; flowbits:isset,http.pdf; content:"stream"; fast_pattern; nocase; pcre:"/^[\x0A\x0D]{1,2}[CF]WS/iR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:15727; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Adobe PDF alternate file magic obfuscation"; flow:established,to_client; flowbits:isset,http.pdf; content:"%COS-0.2"; depth:1032; content:"PDF-"; distance:0; metadata:policy security-ips drop; reference:url,www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf; classtype:misc-activity; sid:16390; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|E8 00 00 00 00|X|83 E8|=P|8D B8|"; content:"|FF|W"; within:2; distance:3; content:"|8A 06|F|88 07|G|EB EB 90 90 90 B8 01 00 00 00 01|"; within:17; distance:28; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16434; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|BE|"; content:"|8D BE|"; within:2; distance:4; pcre:"/^\x57(\x83\xCD\xFF)?\x89\xE5\x8D\x9C\x24.{4}\x31\xC0\x50\x39\xDC\x75\xFB\x46\x46\x53\x68.{4}\x57\x83\xC3\x04\x53\x68.{4}\x56\x83\xC3\x04\x53\x50\xC7\x03.{4}\x90\x90/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16436; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"|8A 06|F|88 07|G|01 DB|u|07 8B 1E 83 EE FC 11 DB|"; pcre:"/^(\x72\xED\xB8\x01.{3}|\x8A\x07\x72\xEB\xB8\x01\x00\x00\x00)\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB[\x73\x77].{3}\x8B\x1E\x83\xEE\xFC/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16435; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF with click-to-launch executable"; flow:established,to_client; flowbits:isset,http.pdf; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; within:100; fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|com|swf)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY base64-encoded uri data object found"; flow:to_client,established; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of Windows .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,http.lnk; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-049.mspx; classtype:attempted-user; sid:17442; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JS string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s|>|<]/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:17668; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY FlashPix file download request"; flow:to_server, established; content:".fpx"; nocase; flowbits:set,http.fpx; flowbits:noalert; classtype:policy-violation; sid:17739; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Excel with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.xls; content:"ShockwaveFlashObjects"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18545; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Word with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.doc; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:18546; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Powerpoint with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.ppt; content:"|53 00 68 00 6F 00 63 00 6B 00 77 00 61 00 76 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 4F 00 62 00 6A 00 65 00 63 00 74 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18547; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF file with embedded PDF object"; flow:established,to_client; file_data; content:"EmbeddedFile"; distance:0; nocase; content:"3C7064663E"; distance:0; nocase; content:"3C2F7064663E"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY RTF file with embedded OLE object"; flow:established,to_client; flowbits:isset,http.rtf; file_data; content:"d0cf11e"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18685; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JavaScript string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JavaScript"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fJavaScript/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18681; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with OpenAction object"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/OpenAction"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fOpenAction/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18682; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Excel file with embedded PDF object"; flow:established,to_client; flowbits:isset,http.xls; file_data; content:"startxref"; distance:0; nocase; content:"%%EOF"; distance:0; nocase; isdataat:!3,relative; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18683; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Apple Mach-O executable download attempt"; flow:established,to_client; file_data; content:"|CA FE BA BE|"; within:4; byte_test:4, <, 20, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html; classtype:policy-violation; sid:18983; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c]u[0-9a-f]{4}(\x22\s*\x2B\s*\x22)?[\x25\x5c]u[0-9a-f]{4}/smi"; classtype:shellcode-detect; sid:10504; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; sid:10505; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; classtype:shellcode-detect; sid:12630; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var shellcode"; flow:to_client,established; content:" shellcode"; fast_pattern:only; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17392; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var heapspray"; flow:to_client,established; content:" heapspray"; fast_pattern:only; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17393; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 1E 02 00 00 EB 0A 11 06 2E 02 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17497; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 36 00 00 00 0F 00 11 05 2E 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17496; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel Column record handling memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 00 1C 00 0F 00 02 00 FF FF 00 00 01 00 03 00 00|"; fast_pattern:only; reference:bugtraq,21925; reference:cve,2007-0030; classtype:attempted-user; sid:17543; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt"; flow:established,to_client; content:"VulObject = |22|IER|22| + |22|PCtl.I|22| + |22|ERP|22| + |22|Ctl.1|22 3B|"; nocase; metadata:policy security-ips drop; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,26586; reference:cve,2006-6847; reference:cve,2007-5601; classtype:attempted-user; sid:12775; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt"; flow:established,to_client; content:"storm.setAttribute|28 22|classid|22|,|22|clsid|3A|6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25601; reference:cve,2007-4816; classtype:attempted-user; sid:12771; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt"; flow:established,to_client; content:"00C04FC29E36|7C|983A|7C|11D0|7C|65A3|7C 7C|BD96C556|7C 7C|clsid"; nocase; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:12770; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt"; flow:established,to_client; content:"<object id=|22|gl|22| classid=|22|clsid|3A|F3E70CEA-956E-49CC-B444-73AFE593AD7F|22|>"; nocase; metadata:policy security-ips drop; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12773; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt"; flow:established,to_client; content:"pps.setAttribute|28 22|classid|22|,|22|clsid|3A|5EC7C511-CD0F-42E6-830C-1BD9882F3458|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25502; reference:cve,2007-4748; classtype:attempted-user; sid:12772; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt"; flow:established,to_client; content:"<object classid=|22|clsid|3A|AE93C5DF-A990-11D1-AEBD-5254ABDD2B69|22|"; nocase; content:"LoveVChenzi"; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,26244; reference:cve,2007-5722; classtype:attempted-user; sid:12774; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Metasploit Framework xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><name>"; distance:0; content:"'|29 3B|echo|28|'"; distance:0; content:"'|29 3B| passthru|28|chr|28|"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13816; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS alternate xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><value><string></string></value></param><param><value><string>"; distance:0; content:"AND ascii|28|substring|28|pass,1,1|29 29 0A|/**/BETWEEN/**/52/**/AND/**/58|29|/*"; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13818; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><value><name>"; distance:0; content:"',''|29 29 3B|echo '_begin_|0A|'|3B|echo"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13817; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS isComponentInstalled Metasploit attack attempt"; flow:established,to_client; content:"isComponentInstalled|28|boom"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Visio Object Header Buffer Overflow attempt"; flow:to_client,established; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox animated PNG processing integer overflow"; flow:established,to_client; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy security-ips drop; reference:cve,2008-4064; classtype:attempted-user; sid:15191; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; within:64; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:established,to_client; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15678; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding"; flow:established,to_client; content:".|00 00 00|c|00 00 00|l|00 00 00|a|00 00 00|s|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00|=|00 00 00|'|00 00 00|c|00 00 00|l|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00 3A 00 00 00|0|00 00 00|9|00 00 00|5|00 00 00|5|00 00 00|A|00 00 00|C|00 00 00|6|00 00 00|2|00 00 00|-|00 00 00|B|00 00 00|F|00 00 00|2|00 00 00|E|00 00 00|-|00 00 00|4|00 00 00|C|00 00 00|B|00 00 00|A|00 00 00|-|00 00 00|A|00 00 00|2|00 00 00|B|00 00 00|9|00 00 00|-|00 00 00|A|00 00 00|6|00 00 00|3|00 00 00|F|00 00 00|7|00 00 00|7|00 00 00|2|00 00 00|D|00 00 00|4|00 00 00|6|00 00 00|C|00 00 00|F|00 00 00|'|00 00 00 3B|"; nocase; metadata:policy security-ips drop; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15679; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; content:"Math.ceil|28|Math.log|28|"; nocase; content:"Math.LN2|29|"; distance:0; nocase; pcre:"/\x29\s*\x2f\s*Math.LN2\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer popup window object tag code execution attempt"; flow:to_client,established; content:"window.createPopup|28 29|"; content:"oPopup.document.body.innerHTML"; distance:0; content:"<object data=ouch.php>"; distance:0; metadata:policy security-ips drop; reference:cve,2003-0838; classtype:attempted-user; sid:15880; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt"; flow:to_client,established; content:"-lh0-"; content:"|02 C9 C5|M|88 00 02|DDDD"; within:11; distance:13; metadata:policy security-ips drop; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:15950; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS zlib Denial of Service"; flow:to_client,established; content:"x|9C 85 C1 B9 11 80|0|10 04|A|EC A9 9A A0 C4|+|1E 91 7F FE D8 EB|p|DD AD FD 93 B9| KA|D6 82|l|05 D9 0B|r|14 A4|'9|93 5C|I|EE 24|O|92 91 E4|M2}yw[|86|"; metadata:policy security-ips drop; reference:bugtraq,11051; reference:cve,2004-0797; classtype:attempted-user; sid:15981; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS PHP strip_tags bypass vulnerability exploit attempt"; flow:to_server,established; content:"/strip/getPoc.php?note=%3Cs%00cript%3Ealert%28%27Oops!%27%29%3B%3C%2Fs%00cript%3E"; metadata:policy security-ips drop; reference:bugtraq,10724; reference:cve,2004-0595; classtype:attempted-user; sid:15977; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS F-Secure Anti-Virus LHA processing buffer overflow attempt"; flow:to_client,established; content:"!|C3|-lh0-|18 00 00 00 05 00 00 00 FA BB|m0 |01 08|testfile|F8 1B|U|05 00|P|B4 81 94 01 01|UUUU"; metadata:policy security-ips drop; reference:bugtraq,10243; reference:cve,2004-0234; classtype:attempted-user; sid:15966; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Exchange OWA XSS and spoofing attempt"; flow:to_client,established; content:"exchange/calendar/pick.asp?view=ppp%22></applet><script>alert|28|%22hi,%20this%20is%20javascript%20here%22|29|</script>|22|>click this</a>"; metadata:policy security-ips drop; reference:bugtraq,10902; reference:cve,2004-0203; classtype:misc-attack; sid:15964; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Microsoft ASP.NET canonicalization exploit attempt"; flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:policy security-ips drop; reference:bugtraq,11342; reference:cve,2004-0847; classtype:attempted-user; sid:15985; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_client,established; content:"|00 9A 00 00 00 FF 80|P|00 00 00 00 00 14 00 14 00 02|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:16001; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt"; flow:to_client,established; flowbits:isset,http.pub; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22702; reference:cve,2007-1754; classtype:attempted-user; sid:16051; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit"; flow:established,to_client; content:"buf = buf + unescape|28 22|%u"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; metadata:policy security-ips drop; reference:bugtraq,27578; reference:bugtraq,27579; reference:cve,2008-0624; reference:cve,2008-0625; classtype:attempted-user; sid:16068; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor AV gateway virus detection bypass attempt"; flow:to_client,established; content:"<a href=|22|data|3A|application/octet-stream|3B|base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=|22|>"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,12269; reference:cve,2005-0218; classtype:misc-attack; sid:16087; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; content:"SPP_P|1D CD|P|3B D5 AF AF AF AF 19|6|A5|U4cz{|B1 04 1D E7 EF|jiI|8A|T|D1|s|FD 0C F7|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:16089; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt"; flow:established,to_client; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader compressed media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"&|EA A7 7C 9A 1D C4 1C FE|&|7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2009-4324; classtype:attempted-user; sid:16334; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS DHTML Editing ActiveX clsid access"; flow:established,to_client; content:"execCommand|28 22|copy|22 29 3B|"; nocase; content:"2D360201-FFF5-11d1-8D03-00A0C959BC0A"; distance:0; metadata:policy security-ips drop; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:16340; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; content:"|3A|first-letter {float|3A| "; fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client, established; flowbits:isset,http.pdf; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:16490; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 1"; flow:established,to_client; content:"|23| CLSID|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; metadata:policy security-ips drop; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16590; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS iseemedia LPViewer ActiveX exploit attempt"; flow:established,to_client; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 2"; flow:established,to_client; content:"classid='clsid|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9'"; content:"unescape|28 22|%"; distance:0; metadata:policy security-ips drop; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16591; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:established,to_client; content:"url"; content:"toolbar"; distance:0; content:"enableZoomPastMax"; distance:0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Opera asynchronous document modifications attempted memory corruption"; flow:established,to_client; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|"; distance:0; content:"function doit|28 29|"; distance:0; content:"document.write"; distance:0; content:"setInterval|28|loop,0|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer nested SPAN tag memory corruption attempt"; flow:established,to_client; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; fast_pattern:only; nocase; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:established,to_client; content:".CompleteInstallation|28|"; content:"String.fromCharCode"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Green Dam URL handling overflow attempt"; flow:established,to_client; content:"<=2035"; fast_pattern:only; content:"window.location="; content:"'.html'|3B|"; within:30; nocase; content:"classid=|22|"; distance:0; nocase; content:".dll|23|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,osvdb.org/55126; reference:url,secunia.com/advisories/35435; classtype:attempted-user; sid:16598; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|"; within:48; distance:316; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:16664; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari window.parent.close unspecified remote code execution vulnerability"; flow:established,to_client; content:"for|28|var i = 0|3B| i |3C| 2|3B| i|2B 2B 29|"; content:"parent.alert|28 22|"; within:50; content:"self.close|28 29 3B|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,39990; reference:cve,2010-1939; reference:url,secunia.com/advisories/39670; classtype:attempted-user; sid:16666; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS CA BrightStor ListCtrl ActiveX exploit attempt"; flow:established,to_client; content:"classid|3D 22|clsid|3A|BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3|22|"; content:"unescape|28 22 25|u"; distance:0; metadata:policy security-ips drop; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:16675; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS IBM Lotus Domino Web Access ActiveX exploit attempt"; flow:established,to_client; content:"classid=|27|clsid|3A|E008A543-CEFB-4559-912F-C27C2B89F13B|27|"; fast_pattern:only; content:"classid=|27|clsid|3A|3BFFE033-BF43-11D5-A271-00A024A51325|27|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:16671; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration"; flow:to_client, established; content:"1073741838"; pcre:"/(C|#43)(o|#6F)(l|#6C)(o|#6F)(r|#72)(s|#73)\s*1073741838/smi"; metadata:policy security-ips drop; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16676; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; fast_pattern:only; nocase; content:"unescape|28|"; content:"|25|u"; within:5; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS CA eTrust PestPatrol 'ppctl.dll' ActiveX Initialize method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6|27 3E 3C 2F|object|3E|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37133; reference:cve,2009-4225; classtype:attempted-user; sid:16704; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS SoftArtisans XFile FileManager ActiveX Control buffer overflow attempt"; flow:to_client,established; content:"ActiveXObject|28 27|SoftArtisans|2E|FileManager|2E|1|27 29 3B|"; content:"unescape|28 27 25|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:16714; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS URSoft W32Dasm Import/Export function buffer overflow attempt"; flow:to_client,established; content:"|D4 30 00 00 00 00 00 00 00 00 00 00 E0 30 00 00 F0 30 00 00 F8 30 00 00 00 31 00 00 00 00 00 00 78 02|"; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy security-ips drop; reference:bugtraq,12352; reference:cve,2005-0308; classtype:attempted-user; sid:16735; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16731; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Xenorate Media Player XPL file handling overflow attempt - 1"; flow:to_client,established; file_data; isdataat:92,relative; content:!"|00|"; within:92; content:"|FD A4 00 10|"; within:4; distance:92; reference:url,osvdb.org/show/osvdb/57162; classtype:attempted-user; sid:16737; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,osvdb.org/show/osvdb/57162; classtype:attempted-user; sid:16738; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"unescape|28|"; within:300; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee Remediation client ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28 27|Enginecom.imagineLANEngine.1|27 29 3B|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; classtype:attempted-user; sid:16729; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS E-Book Systems FlipViewer FlipViewerX.dll ActiveX multiple buffer overflow attempt"; flow:to_client,established; content:"classid|3D 27|clsid|3A|BA83FD38-CE14-4DA3-BEF5-96050D55F78A|27|"; fast_pattern:only; nocase; content:"unescape|28 27 25|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24328; reference:cve,2007-2919; classtype:attempted-user; sid:16711; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; fast_pattern:only; nocase; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS DjVu ActiveX control ImageURL property overflow attempt"; flow:to_client,established; file_data; content:"clsid:4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; fast_pattern:only; nocase; content:"unescape|28|"; nocase; content:"%u"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31987; reference:cve,2008-4922; classtype:attempted-user; sid:16745; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt"; flow:established,to_client; content:"|2E|RunCMD|28|"; fast_pattern:only; nocase; content:"catch|28| e |29 20 7B| window|2E|location|20 3D|"; metadata:policy security-ips drop; reference:bugtraq,37092; reference:cve,2009-3033; classtype:attempted-user; sid:16787; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 2"; flow:to_client,established; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; fast_pattern:only; nocase; content:"unescape|28 22 25|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 1"; flow:to_client,established; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; fast_pattern:only; nocase; content:"|3D| unescape|3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:established,to_client; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS KeyWorks KeyHelp 'keyhelp.ocx' ActiveX control multiple method overflow attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28 27|KeyHelp.KeyCtrl.1|27 29 3B|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36546; reference:url,osvdb.org/show/osvdb/58423; classtype:attempted-user; sid:16776; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6|27 3E 3C 2F|object|3E|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16741; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt"; flow:to_client,established; content:"classid|3D 22|clsid|3A|0002E511-0000-0000-C000-000000000046|22|"; fast_pattern:only; nocase; content:"<body onload"; content:"</html>"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35992; reference:cve,2009-1534; classtype:attempted-user; sid:16786; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:established,to_client; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Ask Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX control buffer overflow attempt"; flow:established,to_client; content:"classid|3D 27|clsid|3A|5A074B2B-F830-49DE-A31B-5BB9D7F6B407|27|"; content:"|3D| new String|28|"; distance:0; content:!"|29|"; within:1000; metadata:policy security-ips drop; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17077; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"unescape|28|"; within:300; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|9F1363DA-0220-462E-B923-9E3C9038896F|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile buffer overflow attempt"; flow:to_client,established; content:"classid|3D 27|clsid|3A|E68E401C-7DB0-4F3A-88E1-159882468A79|27|"; content:"defer>"; within:100; content:"unescape|28 22 25|"; within:50; metadata:policy security-ips drop; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17160; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17215; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17214; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=http://&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD"; nocase; metadata:policy security-ips drop; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17219; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player navigateToURL cross-site scripting attempt"; flow:established,to_client; content:"|11 BA EE 66 DA B8 6C D6 A9 D7 D9 C2 DB F0 26 7D|"; fast_pattern:only; reference:bugtraq,26960; reference:cve,2007-6244; classtype:misc-activity; sid:17223; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A AD AD AD AD AD AD AD AD AD AD AD AD AD|"; nocase; metadata:policy security-ips drop; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17220; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A|--------------------"; nocase; metadata:policy security-ips drop; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17221; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows Media Player skin decompression code execution attempt"; flow:to_client,established; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25307; reference:cve,2007-3035; classtype:attempted-user; sid:17228; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt"; flow:to_client,established; content:"|22|http|3A 2F 2F 22 20 2B 0A|"; nocase; content:"|22|%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD|22|"; within:100; metadata:policy security-ips drop; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17222; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:17233; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS VBMania mass mailing worm download attempt"; flow:to_client,established; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17235; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Antivirus ACE file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|2A 2A 41 43 45 2A 2A|"; within:7; distance:7; content:"|01 80 1C 00 00 00 BE 02 00 00 C5 5A 08 33 20 00 00 00 80 98 92 84 02 03 0A 00 54 45 07 02|"; distance:0; metadata:policy security-ips drop; reference:cve,2005-2385; reference:cve,2005-2720; classtype:attempted-user; sid:17244; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player and Reader remote code execution attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|"; depth:160; offset:144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|"; within:16; distance:352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|"; within:16; distance:240; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,www.adobe.com/support/security/advisories/apsa10-03.html; classtype:attempted-user; sid:17257; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Panda Antivirus ZOO archive decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"|40 29 23 28 00 00 83 08 24 48 B0 A0 C1 83 08 13 2A 5C C8 B0 A1 C3 87 10 23 4A 9C 48 B1 A2 C5 8B|"; metadata:policy security-ips drop; reference:cve,2005-3922; classtype:attempted-user; sid:17281; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:17288; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; classtype:attempted-user; sid:17263; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Visual Basic for Applications document properties overflow attempt"; flow:established,to_client; content:"Attribut|00|e VB_Nam|00|e = "; fast_pattern; nocase; content:"|22|ThiAsDocumen|22|t"; within:15; nocase; metadata:policy security-ips drop; reference:bugtraq,19414; reference:cve,2006-3649; classtype:attempted-user; sid:17286; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor malformed ZIP archive Antivirus detection bypass attempt"; flow:to_client,established; file_data; content:"|73 74 07 1B 5B 32 4A 1B 5B 32 3B 35 6D 1B 5B 31 3B 33 31 6D 48 41 43 4B 45 52 20 41 54 54 41 43|"; metadata:policy security-ips drop; reference:bugtraq,12793; reference:url,ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html; classtype:attempted-user; sid:17267; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS GNU gzip LZH decompression make_table overflow attempt"; flow:established,to_client; content:"|1F A0 AB CD FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; rawbytes; metadata:policy security-ips drop; reference:cve,2006-4335; reference:url,secunia.com/advisories/21996/; classtype:attempted-user; sid:17289; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox sidebar panel arbitrary code execution attempt"; flow:to_client,established; content:"onclick|3D 22|window|2E|sidebar|2E|addPanel|28 27|FSC|20|sidebar"; content:"http|3A 2F 2F|gsx3|2F 7E|swarelis|2F|CAN|2D|2005|2D|0402|2F|poc|2E|html"; distance:4; metadata:policy security-ips drop; reference:bugtraq,12884; reference:cve,2005-0402; classtype:attempted-user; sid:17268; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript contentWindow in an iframe exploit attempt"; flow:to_client,established; file_data; content:"contentWindow.document.designMode = |22|on|22|"; content:"contentWindow.document.write"; within:100; content:"contentWindow.document.close"; within:100; content:"<iframe"; metadata:policy security-ips drop; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:17260; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor malformed ZIP archive Antivirus detection bypass attempt"; flow:to_client,established; file_data; content:"|13 00 00 00 46 53 43 1B 5B 32 50 4F 43 1B 5B 30 3B 35 39 2E 74 78 74 0B F0 66 66 E1 62 00 01 A3|"; metadata:policy security-ips drop; reference:bugtraq,12793; reference:url,ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html; classtype:attempted-user; sid:17266; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint Viewer Memory Allocation Code Execution"; flow:to_client,established; content:"|26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:17310; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt"; flow:to_client,established; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|search|2E|msn|2E|com|2F|results|2E|aspx|3F|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; reference:bugtraq,15660; reference:cve,2005-4089; classtype:attempted-user; sid:17312; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt"; flow:to_client,established; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|news|2E|google|2E|com|2F|news|3F|hl|3D|en|26|ned|3D|us|26|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; reference:bugtraq,15660; reference:cve,2005-4089; classtype:attempted-user; sid:17311; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS ClamAV libclamav PE file handling integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|"; within:20; distance:288; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0318; classtype:attempted-user; sid:17305; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:from_server,established; content:"var|20|mem|20 3D 20|genGluck|28 20 22|XXX"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17415; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer CDF cross-domain scripting attempt"; flow:to_client,established; content:"|3C|channel|20 0D 0A 20 20|href|3D 22|file|3A 2F 2F|"; nocase; metadata:policy security-ips drop; reference:bugtraq,12427; reference:cve,2005-0056; reference:url,www.microsoft.com/technet/security/bulletin/ms05-014.mspx; classtype:attempted-user; sid:17411; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SPECIFIC-THREATS Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt"; flow:to_server,established; content:"SCRIPT_FILENAME/etc/passwd|06 80 00|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25622; reference:cve,2007-4727; classtype:attempted-user; sid:17386; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt"; flow:established,to_client; content:"adong7"; nocase; content:"adong7"; distance:0; nocase; content:"datasrc"; distance:0; nocase; content:"datafld"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,www.microsoft.com/technet/security/bulletin/ms08-078.mspx; classtype:attempted-user; sid:17402; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Publisher Object Handler Validation Code Execution attempted"; flow:from_server,established; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29158; reference:cve,2008-0119; classtype:attempted-user; sid:17383; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 01 A6 73 65 61 6E 00 00 00 01 00 00 00 04 00 00 00 00 00 00 41 41 70 64 61 74 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26342; reference:cve,2007-4675; reference:url,docs.info.apple.com/article.html?artnum=306896; classtype:attempted-user; sid:17373; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:from_server,established; content:"x|20 3D 20|x|2E|replace|28 2F|end|2F|i|2C 20|function|28 24|1|29 7B 20|var|20|y|20 3D 20 22|any|22 3B 20|y|2E|match|28 2F|any|2F|i|29|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17414; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; nocase; content:"aaaaaaaaaaaaaaaaaa"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:from_server,established; content:"P|00|a|00|r|00|e|00|n|00|t|00|I|00|d|00|n|00|a|00|m|00|e|00 75 76|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:17413; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows HLP File Handling heap overflow attempt"; flow:established,from_server; content:"|3F 5F 03 00|"; depth:4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:17374; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft excel Malformed Filter Records Handling Code Execution attempt"; flow:to_client,established; content:"|43 6F 6C 75 6D 6E 20 42 3F 9B 00 00 00 9D 00 02 00 02 00 9E 00 1D 00 33 00 04 2A 06 02 8C 23 01 01 04 01 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,23780; reference:cve,2007-1214; classtype:attempted-user; sid:17377; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS BitDefender Antivirus PDF processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|"; within:16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|"; within:40; distance:8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|"; within:45; distance:22; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32396; reference:cve,2008-5409; classtype:attempted-user; sid:17430; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox defineSetter function pointer memory corruption attempt"; flow:established,to_client; content:"p.type=|27|xxx|27|"; nocase; content:"__defineSetter__|28|"; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,35758; reference:cve,2009-2469; classtype:attempted-user; sid:17422; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS mozilla firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document|2E|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2E|body|2E|appendChild|28|document|2E|getElementById|28|"; metadata:policy security-ips drop; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:17389; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.gif; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Project Invalid Memory Pointer Code Execution attempt"; flow:from_server,established; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28607; reference:cve,2008-1088; classtype:attempted-user; sid:17382; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox IconURL Arbitrary Javascript Execution attempt"; flow:from_server,established; content:"IconURL|3A 20 22|javascript|3A|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,13544; reference:cve,2005-1477; classtype:attempted-user; sid:17424; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat Reader PDF Catalog Handling denial of service attempt"; flow:established, to_client; flowbits:isset,http.pdf; content:"3 0 obj|0D 3C 3C 20 0D|/Type /Pages|20 0D|"; fast_pattern; nocase; content:"/Kids|20 5B 20|3 0 R |5D|"; within:15; nocase; metadata:policy security-ips drop; reference:bugtraq,21910; reference:cve,2007-0104; reference:url,projects.info-pull.com/moab/MOAB-06-01-2007.html; classtype:attempted-user; sid:17361; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Avast! Antivirus Engine Remote LHA buffer overflow attempt"; flow:established,to_client; flowbits:isset,http.lzh; content:"|19 4C 2D 6C 68 30 2D 53 0C 00 00 2C 00 00 00 28 94 28 35 20|"; depth:20; metadata:policy security-ips drop; reference:bugtraq,19903; reference:cve,2006-4626; classtype:attempted-admin; sid:17541; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel unspecified memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15926; classtype:attempted-user; sid:17537; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickTime H.264 Movie File Buffer Overflow"; flow:to_client,established; flowbits:isset,http.quicktime; content:"|81 F6 3B 80 00 00 40 80 FF FF FF 87 25 B8 20 00|"; content:"|F9 31 40 00 52 EA FB EF BE FB EF BE FB EF BE FB|"; within:16; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,36328; reference:cve,2009-2799; classtype:attempted-user; sid:17523; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Excel Malformed Range Code Execution attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 18 00 1F|"; byte_test:2,&,1,6,relative,little; metadata:policy security-ips drop; reference:bugtraq,15780; reference:cve,2005-4131; classtype:attempted-user; sid:17488; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; content:"<a href=|22 01 78 78|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel Malformed SELECTION Record Code Execution attempt"; flow:from_server,established; content:"|1D 00 0F 00 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 EF|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,18853; reference:cve,2006-1301; classtype:attempted-user; sid:17492; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer File Download Dialog Box Manipulation"; flow:established,to_client; file_data; content:"spoffset()|20|{|0A 20 20 20 20 20 20|"; nocase; content:"var|20|mv|20|=|20|window|2E|navi"; within:20; nocase; content:"var|20|sp2"; within:7; distance:29; nocase; metadata:policy security-ips drop; reference:bugtraq,15823; reference:cve,2005-2829; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-054.mspx; classtype:attempted-user; sid:17463; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel unspecified memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15926; classtype:attempted-user; sid:17539; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer zipped skin file buffer overflow attempt"; flow:to_client,established; content:"|50 4B 03 04 14 00 00 00 08 00 91 98 6E 33 EB 71 F9 B3 1D 00 00 00 00 01 00 00 0B 00 00 00 53 68 75 66 66 6C 65 2E 62 6D 70 73 F2 DD C1 E5 08 04|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,15382; reference:cve,2005-2630; classtype:attempted-user; sid:17461; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows itss.dll CHM File Handling Heap Corruption attempt"; flow:from_server,established; content:"|74 03 9E 02 4A 02 9C 01 12 01 8B 00 3E 00 25 00 00 00 02 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,17926; reference:cve,2006-2297; classtype:attempted-admin; sid:17490; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow"; flow:to_client,established; content:"|6F 76 00 00 19 FE 6D 6F 6F 76 00 00 19 F6 6D 6F|"; content:"|6F 76 00 00 19 CE 6D 6F 6F 76 00 00 19 C6 6D 6F|"; offset:32; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-user; sid:17527; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Quicktime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17471; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Microsoft IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST"; nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|"; within:16; distance:2; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS IBM Lotus Domino Web Access 7 ActiveX exploit attempt"; flow:established,to_client; content:"E008A543-CEFB-4559-912F-C27C2B89F13B"; fast_pattern:only; nocase; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy security-ips alert; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:17466; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Excel MalformedPalete Record Memory Corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:17542; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel unspecified memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|"; depth:20; offset:688; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15926; classtype:attempted-user; sid:17538; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows Help File Heap Buffer Overflow attempt"; flow:from_server,established; content:"|80 80 00 00 C0 C0 C0 00 80 80 80 00 00 00 FF 00 00 FF 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00 FF FF 00 00 FF FF FF 00 00 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,17325; reference:cve,2006-1591; classtype:attempted-user; sid:17489; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow"; flow:established,to_client; content:"|3C 3C 2F|Subtype|2F|U3D|2F|Length"; nocase; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2|"; content:"|95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|"; within:16; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35282; reference:cve,2009-1855; classtype:attempted-user; sid:17526; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer Error Handling Code Execution"; flow:from_server,established; content:"for|20 28|i=0|3B 20|i<20|3B 20|i++|29 7B|"; nocase; content:"document|2E|location|2E|href|3D|fileURL|3B|"; within:32; distance:11; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; file_data; content:".RMF"; within:4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:from_server,established; flowbits:isset,http.pmd; content:"Courier|20|New|61 61 61 61 61 61 61 61 61|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17553; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17472; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word Font Parsing Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|04 05 02 03 04 87 7A 00 20 00 00 00 80 08 00 00 00 00 00 00 00 FF 01 00 00 00 00 00 00 44 44|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,14216; reference:cve,2005-0564; classtype:attempted-user; sid:17550; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel TXO and OBJ Records Parsing Stack Memory Corruption"; flow:to_client,established; flowbits:isset,http.xls; content:"]|00|"; content:"|15|"; distance:0; byte_test:2,>,30,2,relative; content:"|04 01 BF 00 08 00 08 00 81 01 09 00 00 08 83 01|"; content:"|4D 00 00 08 BF 01 10 00 10 00 C0 01 17 00 00 08|"; within:16; reference:bugtraq,32618; reference:cve,2008-4265; classtype:attempted-user; sid:17532; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine memory corruption attempt"; flow:from_server,established; flowbits:isset,http.doc; content:"|41 41 41 41 41 41 41 41 09 09 09 09 09 09 0D 41 41 41 41 41 41 41 41 41 41 41 41 41 41 09 0D 41|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,18905; reference:cve,2006-3493; classtype:attempted-user; sid:17491; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS nginx URI parsing buffer overflow attempt"; flow:established,to_server; content:"GET |2F 25|23|2E 2E|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Drawing Record msofbtOPT Code Execution attempt"; flow:to_client,established; content:"|00 06 00 53 68 65 65 74 33 8C 00 04 00 01 00 01|"; content:"|00 A0 03 41 41 41 41 81 01 09 00 00 08 C0 01 40|"; within:16; distance:64; metadata:policy security-ips drop; reference:bugtraq,22383; reference:cve,2007-0671; classtype:attempted-user; sid:17579; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash ASnative command execution attempt"; flow:to_client, established; content:"|43 57 53 07 C5 01 00 00 78 DA 74 50 B1 4E C3 30 14 BC 38 A1 71 11 2A 52 55 29 0C FD 81 2E 2C B0 A2 B6 54 42 62 68 1A B5 1D BA 45 A6 44 25 22 89 A3 C4 20 F8 02 3A 75 8C D4 81 FF E1 9B 58 CA B3 9D 15 0F A7 77 E7 F7 CE E7 F7 01 FC 02 6C 03 0C 1C CC D8 89 4E B7 03 3A 91 43 30 EE 0D 08 A9 8A E2 38 12 DB 57 B1 4B EA EB F5 9B 92 38 F5 6E 74 43 B4 DF E0 1C 46 89 77 99 7C 12 19 44 5A 89 B2 4C 8B 5A 89 2C 4B 2A 4C 57 85 50 E9 7B 82 B8 92 52 61 2B F3 5C 14 CF 28 2B A9 A4 FA 2C 13 E4 22 2D 40 23 D4 B9 4A 54 54 C9 F2 21 13 BB 1A 0D 03 C7 B0 DF FF 66 F8 31 C4 19 1A E9 C0 75 3E 36 82 40 73 05 CE 7C 1D C4 C2 91 AE 7C 46 55 DB EB 2E 1B 07 EE 52 5B DC 1A 0B CF C8 67 A1 1D D4 9D 16 FE 19 0C BE C8 76 D1 78 F0 C0 3B 21 11 27 B0 C4 3F 5C E8 BD B8 23 B0 7C 8B 41 9B B5 E9 82 73 5F A7 E3 98 2C 16 CD A5 8D C5 3C C7 77 B5 D8 BD 0B 30 76 EF A9 DC 0F C9 65 BE 9E AE 66 F1 7C FA 18 42 BD A4 B5 5D A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:17606; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer object clone deletion memory corruption attempt"; flow:established,to_client; content:"var nopsled"; nocase; content:"cloneNode|28 29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0075; reference:url,www.microsoft.com/technet/security/bulletin/MS09-002.mspx; classtype:attempted-user; sid:17644; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:from_server,established; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox IFRAME style change handling code execution"; flow:established,to_client; content:"contentDocument.designMode"; nocase; content:"addEvenListener|28|"; distance:0; nocase; content:"iframe.style.position"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS AcroPDF.PDF ActiveX exploit attempt"; flow:established,to_client; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; content:"onClick=|22|checkversion|28|fn.value|29 22|"; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,12989; reference:bugtraq,21155; reference:cve,2005-0035; reference:cve,2006-6027; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:17587; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt"; flow:from_server,established; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34880; reference:cve,2009-0225; classtype:attempted-user; sid:17565; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple AV vendor invalid archive checksum bypass attempt"; flow:to_client,established; file_data; content:"|50 4B 03 04 0A 00 00 00 00 00 E0 98 B8 28 00 00 00 00 44 00 00 00 44 00 00 00 09 00 00 00 65 69 63 61 72 2E 63 6F 6D 58|"; within:40; metadata:policy security-ips drop; reference:bugtraq,12771; reference:url,archives.neohapsis.com/archives/fulldisclosure/2005-03/0207.html; classtype:attempted-user; sid:17651; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer possible javascript onunload event memory corruption"; flow:from_server,established; content:"document.write("; content:"body|20|onunload=|22|exploit"; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,22678; reference:cve,2007-1094; classtype:attempted-user; sid:17585; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash frame type identifier memory corruption attempt"; flow:established,to_client; flowbits:isset,http.swf; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:17658; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer DOM object cache management memory corruption attempt"; flow:to_client,established; content:"getElementsByTagName"; nocase; content:"removeNode|28|true|29|"; distance:0; fast_pattern; nocase; pcre:"/\x2EgetElementsByTagName\x28[^\x29]+?\x2EremoveNode\x28true\x29/smi"; metadata:policy security-ips drop; reference:bugtraq,26817; reference:cve,2007-5344; classtype:attempted-user; sid:17554; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client, established; content:"<pre>|0A 09 09|<span style=|22|white-space|3A|normal|3B 22 2F|><span>"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,17468; reference:cve,2006-1188; classtype:attempted-user; sid:17580; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Facebook Photo Uploader ActiveX exploit attempt"; flow:established,to_client; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; nocase; content:"unescape|28 22 25|u"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,www.microsoft.com/technet/security/advisory/953839.mspx; classtype:attempted-user; sid:17654; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word Global Array Index Heap Overflow attempt"; flow:from_server,established; flowbits:isset,http.doc; content:"|22 B0 08 07 23 90 A0 05 24 90 A0 05 33 50 00 19 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:17560; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows hraphics engine EMF rendering vulnerability"; flow:to_client,established; content:"|C5 00 00 00 04 00 00 80 8D 00 83 00 8D 00 84 00 AF 01 10 01 AF 01 0F 01|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,15352; reference:cve,2005-2123; classtype:attempted-user; sid:17618; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:established,to_client; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer object reference memory corruption attempt"; flow:established, to_client; content:"obj|2E|setExpression|28 22|width"; fast_pattern; nocase; content:"|22 2C 22|document|2E|body|2E|offsetWidth|22 29|"; within:30; metadata:policy security-ips drop; reference:cve,2007-3902; reference:url,www.securityfocus.com/bid/26506; classtype:attempted-user; sid:17622; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Java Web Start arbitrary command execution attempt"; flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; nocase; content:"jnlpDocbase=|22|ABBA|3A|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:17660; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt"; flow:to_client,established; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|"; within:1000; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0195; reference:url,www.cups.org/str.php?L3129; classtype:attempted-user; sid:17641; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word Section Table Array Buffer Overflow attempt"; flow:from_server,established; flowbits:isset,http.doc; content:"|24 00 61 24 03 00 00 00 00 00 00 00 D1 50 00 00 04 00 00 AC 00 00 00 00 FF FF FF FF 00 00 00 00 CE|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,22225; reference:cve,2007-0515; classtype:attempted-user; sid:17578; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Pagemaker Key Strings Stack Buffer Overflow attempt"; flow:from_server,established; flowbits:isset,http.pmd; content:"Magenta"; nocase; content:"|41 41 41 41 41|"; within:5; distance:241; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,31999; reference:cve,2007-6432; classtype:attempted-admin; sid:17650; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; content:"|53 51 86 A4 50 1D CD 50 3B D5 D0 6C E3 D5 19 36 A5 55 34 63 7A 7B B1 04 1D E7 EF 6A 69 49 8A 54 D1 73 FD 0C F7 02 5E FA 70 4E E8 68 94 FF 14 1E DC 80 7B 58 96 D0 4A 7C DF F0 5C F0 50 88 73 8D|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:17626; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer 7 Event Handler Memory Corruption"; flow:to_client,established; content:"activate|20|=|20|function|20|()"; nocase; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35224; reference:cve,2009-1530; classtype:attempted-user; sid:17566; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sophos Anti-Virus Visio File Parsing Buffer Overflow attempt"; flow:from_server,established; flowbits:isset,visio.request; content:"Visio|20 28|TM|29 20|Drawing"; nocase; content:"|77 77 00 80|"; within:4; distance:30; metadata:policy security-ips drop; reference:bugtraq,14362; reference:cve,2005-2768; classtype:attempted-user; sid:17574; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; content:"|52 4B 55 F6 EF DF 63 70 A3 6C 5C 5B 48 71 BB 7A 70 77 3B 44 69 5B|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:17628; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:from_server,established; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:established,to_client; content:"E9880553-B8A7-4960-A668-95C68BED571E"; fast_pattern:only; nocase; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:established,to_client; content:"|63 3B 84 6A B2 84 BC F8 B0 41 1B 77 2D E5 CE 32 34 0D C6 F2 8A F4 08 57 E4 45 19 76 E7 51 82 43 3C F9 F3 33 A3 8B D8 41 C0 D4 E6 8B F9 E0 12 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox tag order memory corruption attempt"; flow:established,to_client; content:"<table>|0A|<html>|0A|<frameset>"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:17581; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Java AWT ConvolveOp memory corruption attempt"; flow:established,to_client; content:"java/awt/image/ConvolveOp|0C 00 0E 00 23 01 00|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,21675; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1; classtype:attempted-user; sid:17604; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee LHA file parsing buffer overflow attempt"; flow:established,to_client; content:"-lh0-"; nocase; content:"AAAAAAAA"; within:50; metadata:policy security-ips drop; reference:bugtraq,10243; reference:cve,2005-0643; classtype:attempted-user; sid:17704; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer popup title bar spoofing attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"authentication.trusted.com"; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,12602; reference:cve,2005-0500; classtype:misc-activity; sid:17703; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Office Viewer ActiveX arbitrary command execution attempt"; flow:established,to_client; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5"; nocase; content:"targetObject.OpenWebFile|28|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips alert, service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer address bar spoofing attempt"; flow:established,to_client; content:"win = window.open|28 27|test.swf|27|"; nocase; content:"win = window.open|28 27|http|3A 2F 2F|"; within:100; nocase; metadata:policy security-ips drop; reference:bugtraq,17404; reference:cve,2006-1626; classtype:misc-activity; sid:17726; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun JDK image parsing library ICC buffer overflow attempt"; flow:established,to_client; flowbits:isset,java_class_file.request; content:"|BC 08 59 03 02 54 59 04 10 D8 54 59 05 02 54 59|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,24004; reference:cve,2007-2788; reference:url,scary.beasts.org/security/CESA-2006-004.html; classtype:attempted-user; sid:17727; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Quicktime FlashPix processing overflow attempt"; flow:to_client, established; flowbits:isset,http.fpx; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|FE FF 09 00|"; within:4; distance:20; content:"|00 00 80 00|"; within:4; distance:12; reference:bugtraq,36328; reference:cve,2009-2798; classtype:attempted-user; sid:17740; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; content:"<embed type=|27 22| + asMimeTypes.shift"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-014.mspx; classtype:attempted-user; sid:17729; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:from_server,established; flowbits:isset,http.pmd; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17735; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt"; flow:established,to_client; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS BitDefender Internet Security script code execution attempt"; flow:established,to_client; content:"PK|03 04 0A|"; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0850; classtype:attempted-user; sid:17778; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS CBO CBL CBM buffer overflow attempt"; flow:to_client,established; content:"Microsoft Interactive Training]"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|"; content:"Syllabus="; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; reference:bugtraq,13944; reference:cve,2005-1212; reference:cve,2006-3448; reference:nessus,18492; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-005.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS05-031.mspx; classtype:attempted-user; sid:17780; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"rcsL"; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44291; reference:cve,2010-3653; classtype:attempted-user; sid:17807; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"rcsL"; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|"; within:20; distance:192; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44291; reference:cve,2010-3653; classtype:attempted-user; sid:17806; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption attempt"; flow:established,to_client; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|"; distance:0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3654; reference:url,www.adobe.com/support/security/advisories/apsa10-05.html; classtype:attempted-user; sid:17808; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Thinkpoint fake antivirus binary download"; flow:established,to_client; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17817; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS malware-associated JavaScript obfuscation function"; flow:established,to_client; content:"function re|28|s,n,r,b,e|29|{if|28|s<b|7C 7C|s>e|29|return s|3B|"; fast_pattern:only; reference:url,labs.snort.org/docs/18132.html; classtype:trojan-activity; sid:18132; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; distance:0; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18178; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|removeEventListener|28|"; within:500; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18176; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|addEventListener|28|"; within:500; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18177; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; content:"|6F 6E 6C 6F 61 64 3D 22 73 65 74 54 69 6D 65 6F 75 74 28 27 61 6C 65 72 74 28 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 6F 75 74 65 72 48 54 4D 4C 29 27 2C 31 30 30 30 29|"; reference:bugtraq,18682; reference:cve,2006-3280; classtype:attempted-user; sid:18193; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple browser marquee tag denial of service attempt"; flow:to_client,established; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; content:"|72 65 74 72 20 3D 20 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 69 6E 6E 65 72 48 54 4D 4C|"; content:"|73 65 74 54 69 6D 65 6F 75 74 28 27 72 65 74 72 69 65 76 65 28 29 27 2C 31 29|"; distance:0; reference:bugtraq,18682; reference:cve,2006-3280; classtype:attempted-user; sid:18194; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Sun Java browser plugin docbase overflow attempt"; flow:established,to_client; content:"name=|22|docbase|22| value=|22 27| + "; nocase; content:"sBoF"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; content:"alert|28|xx.toXMLString"; fast_pattern:only; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; fast_pattern:only; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; content:"var rr="; nocase; content:".toSource|28 29 3B|"; within:12; distance:1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; content:"|2E|location|20 3D 20 22|about|3A|blank|22 3B|"; content:"setTimeout|28|b|2C 20|500|29 3B|"; within:100; metadata:policy security-ips drop; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18264; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|"; distance:0; content:"editEl|2E|disabled|20 3D 20|false|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox Javascript large regex memory corruption attempt"; flow:to_client,established; content:"Ocilla|7C|Ocoee|7C|Oconee|7C|Oconomowoc|7C|Ocontoabasadasdasdasdasdasdasdad|7C|x|29 29 2F|i|3B|"; reference:bugtraq,17516; reference:cve,2006-1737; classtype:attempted-user; sid:18298; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|"; distance:0; content:"s|2B 3D|s|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer frameset memory corruption attempt"; flow:to_client,established; content:"self.resizeTo|28|2003, 1228|29 3B|"; reference:bugtraq,18277; reference:cve,2006-3637; classtype:attempted-user; sid:18307; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; content:"|26|lt|3B|pre|26|gt|3B 26|lt|3B|td|26|gt|3B|"; content:"|26|lt|3B|menu|26|gt|3B 0A 26|lt|3B|legend|26|gt|3B|"; within:27; distance:1; metadata:policy security-ips drop; reference:cve,2006-1188; classtype:attempted-user; sid:18305; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|"; distance:0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|"; distance:0; content:"a|3D|r|2E|createTextRange|28 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; classtype:attempted-user; sid:18313; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|"; distance:0; fast_pattern; content:"str2|20 2B 3D 20|str|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|"; within:70; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18523; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed shapeid arbitrary code execution attempt"; flow:established,to_client; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0118; reference:url,www.microsoft.com/technet/security/bulletin/ms08-016.mspx; classtype:attempted-user; sid:18514; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18518; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18522; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Visio VSD file icon memory corruption"; flow:established,to_client; flowbits:isset,visio.request; content:"|00 00 FF FF FF 00 FF 00 00 00 00 FF 00 00 00 00 FF 00 FF FF 00 00 FF 00 FF 00 00 FF FF 00 80 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2009-0095; reference:url,www.microsoft.com/technet/security/bulletin/ms09-005.mspx; classtype:attempted-user; sid:18515; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18521; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18519; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try|20 7B 20|window|2E|open|28 29 2E|document|2E|appendChild|28|document|29 3B 20 7D 20|catch|28|e|29 20 7B 7D|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,www.microsoft.com/technet/security/bulletin/ms05-020.mspx; classtype:attempted-user; sid:18520; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; classtype:attempted-user; sid:18538; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer invalid pointer memory corruption attempt"; flow:established,to_client; content:"setAttribute"; content:"document.location"; distance:0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|"; within:40; content:"<marquee"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0806; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; classtype:attempted-user; sid:18540; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel 2007 invalid comments.xml uninitialized pointer access attempt 3"; flow:to_client,established; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0263; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; classtype:attempted-user; sid:18541; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"poc|2E|avi"; fast_pattern; nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0268; reference:url,www.microsoft.com/technet/security/bulletin/ms10-027.mspx; classtype:attempted-user; sid:18542; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS QuickTime PictureViewer buffer overflow attempt"; flow:established,to_client; flowbits:isset,http.jpeg; content:"|4A 46 49 46|"; content:"|EB 06 44 00|"; distance:0; content:"|42 42 42 42|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS QuickTime PictureViewer buffer overflow attempt"; flow:established,to_client; flowbits:isset,http.jpeg; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|"; within:4; distance:269; content:"|42 42 42 42|"; within:4; distance:37; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Outlook Express WAB file parsing buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 1F 00 11 3A FF FF 0F 00 46 00 6F 00 72 00 6F|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-016.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms06-076.mspx; classtype:attempted-user; sid:18590; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|2F|S|2F|JavaScript|2F|JS"; nocase; content:"|ED 54 CB 6E 13 41 10 BC FB 2B 46 91 AC D8 72 88|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2008-2992; classtype:attempted-user; sid:18596; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Opera file URI handling buffer overflow"; flow:established,to_client; content:"var file = |22|file|3A 2F 2F 22 3B 0A 0A|"; nocase; content:"var i = 0|3B| i<16438|3B|"; distance:0; nocase; reference:bugtraq,32323; reference:cve,2008-5178; classtype:attempted-user; sid:18597; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|"; distance:0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:18585; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS lizamoon script injection"; flow:established,to_client; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|ur.php"; within:50; fast_pattern; nocase; reference:url,isc.sans.edu/diary.html?storyid=10642; classtype:misc-activity; sid:18604; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,works.download; content:"|00 00 00 00 A2 04 00 00 00 00 4E 03 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1533; reference:url,www.microsoft.com/technet/security/bulletin/MS09-024.mspx; classtype:attempted-user; sid:18615; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,works.download; content:"Times|20|New|20|Roman|20|Cyr|03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41|"; content:"|41 41 41 41 28 AE 12 00 41 41 41 41 58 17 DD 77|"; within:16; distance:112; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1533; reference:url,www.microsoft.com/technet/security/bulletin/MS09-024.mspx; classtype:attempted-user; sid:18616; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS OpenSSL CMS structure OriginatorInfo memory corruption attempt"; flow:to_client,established; content:"|06 09 2A 86 48 86 F7 0D 01 07 03|"; content:"|A0 03 02 01 02 02 0B 01 00 00 00 00 01 16 0F 8C 27 81|"; within:48; reference:bugtraq,40502; reference:cve,2010-0742; classtype:attempted-user; sid:18766; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari WebKit Range Object Remote Code Execution"; flow:from_server,established; file_data; content:"document.addEventListener(|22|"; nocase; content:"innerHTML"; distance:0; nocase; content:"document.createRange|28 29 3B|"; distance:0; nocase; content:".extractContents|28 29 3B|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS rich text format unexpected field type memory corruption attempt"; flow:established,to_client; content:"|4B 47 2D D7 6B CF 87 5D CF DB F3 1E FE 9F 9F 5F F4 A3 30 49 BC A4 DB 9E B3 C3 7B ED B9 C5 28 6E|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1901; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; classtype:attempted-user; sid:18953; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.ttf; content:"|AA FF FF FF FF 00 00 00 20 00 00 00 03 00 00 00 21 00 00 00 7E 00 00 00 04 00 00 00 A0 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2738; reference:url,www.microsoft.com/technet/security/bulletin/MS10-063.mspx; classtype:attempted-user; sid:18952; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS rich text format unexpected field type memory corruption attempt"; flow:established,to_client; content:"|CB 5D 91 76 A2 A3 23 D7 EF 15 F9 A8 E3 7A DD A5 78 21 08 0E FE 17 FF 2F 2D AD 84 49 9C 65 41 B6|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1901; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; classtype:attempted-user; sid:18954; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|00 00 20 02 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 00 10 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2572; reference:url,www.microsoft.com/technet/security/bulletin/MS10-088.mspx; classtype:attempted-user; sid:18948; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREAT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; content:"elem.getAttributeNode|28 27|rows|27 29 2E|removeChild|28|nodes|5B 30 5D 29 3B|"; content:"setTimeout|28|function|28 29 20 7B 0A 09|"; within:40; content:"try|20 7B 20|nodes|5B 30 5D 2E|textContent|20 7D 20|catch|20 28 65 78 29 20 7B 20 7D|"; within:100; metadata:policy security-ips drop; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18958; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe ActionScript 3 addEventListener exploit attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|AB 02 60 90 01 4F AC 02 02 47 00 00 67 03 02 09|"; fast_pattern:only; reference:cve,2011-0622; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18963; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash beginGradientfill improper color validation attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|2B 6D 01 65 01 5D BD 02 5D BB 02 65 01 6C 04 46 BB 02 01 46 BD 02 01 60 09 87 80 09 6D 04 10 2D|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0620; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18971; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash file DefineFont4 remote code execution attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|01 01 09 00 04 00 02 00 00 00 02 00 00 01 0D 07 00 02 01 07 09 00 00 02 02 08 07|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0627; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREAT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; content:"= document.getElementById|28 22|t|22 29|"; content:"= id.getAttributeNode|28 27|id|27 29|"; within:50; content:"document.body.removeChild|28|id|29 3B|"; within:100; metadata:policy security-ips drop; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18957; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe ActionScript argumentCount download attempt"; flow:from_server,established; flowbits:isset,http.swf; content:"|0B 0B D0 30 20 80 04 24 01 55 01 02 47 00 00 02|"; fast_pattern:only; reference:cve,2011-0621; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash file ActionScript 2 ActionJump remote code execution attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|99 02 00 BC CB|"; content:"|99 02 00 39 FA|"; distance:0; content:"|99 02 00 48 9D 99 02 06 A2 F9|"; distance:0; metadata:policy security-ips drop; reference:cve,2011-0624; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18965; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player null pointer dereference attempt"; flow:established,to_client; flowbits:isset,http.swf; content:"|F4 00 3F 00 7F 12 0D 00 00 00 1D 00 80 02 08 3B 00 00 00 00 DE 42 03 FF 02 19 00 00 00 1E 00 50|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0626; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18970; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash ActionScript3 stack integer overflow attempt"; flow:established,to_client; flowbits:isset,http.swf; content:"|2A 2A 24 48 24 65 24 6C 2A 24 6F 24 00 24 40 24 00 2A 2A 56|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0618; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18968; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash file DefineFont4 remote code execution attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|FF 16 D8 89 00 00 01 00 04 57 69 6E 64 73 6F 6E 67 00 4F 54 54 4F 00 0A 00 80 00 03 00 20 43 46 46 20 C5 97 55|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0619; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18964; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionScript ActionIf integer overflow attempt"; flow:established,to_client; flowbits:isset,http.swf; content:"|00 18 36 00 3F 03 07 00 00 00 12 9D 02 00 12 B1 00 40 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:cve,2011-0623; reference:cve,2011-0625; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18969; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|"; within:16; distance:336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|"; within:16; distance:288; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19071; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox html tag attributes memory corruption"; flow:established,to_client; content:"var tags = new Array (|22|base|22|, |22|a|22|, |22|audio|22|)"; nocase; content:"tobj.id = |22|telus|22|"; distance:0; reference:cve,2010-3765; classtype:attempted-user; sid:19078; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer CSS style memory corruption attempt"; flow:to_client,established; content:".length|3B|i++"; content:"+= String.fromCharCode("; within:100; content:".charCodeAt(i)"; within:100; reference:cve,2010-3962; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-090.mspx; classtype:attempted-user; sid:19081; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; content:"10 0 obj"; content:"65932>>"; within:200; content:"|78 9C D4 BD|"; within:50; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18988; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 9C EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:100; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18990; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; content:"element = document.getElementById"; content:"element.onchange = function|28 29 20 7B 20|element.size = 50|3B 20 7D|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19010; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer getElementById object corruption"; flow:to_client, established; content:"function post_info(info_array)"; content:"info_array.length|3B| i ++)"; distance:0; pcre:"/^\s*\x7B[^\x7D]*document.createElement\('input'\)[^\x7D]*form.appendChild\(plugin\)\s*\x7D/smiR"; content:"document.body.removeChild(form)|3B|"; reference:bugtraq,30614; reference:cve,2008-2254; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-045.mspx; classtype:attempted-user; sid:19079; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|"; distance:0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|"; distance:0; content:"document.body.offsetTop|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 01 C2 96 4E 42 02 81 10 22 84 55 C1 84 6C 04|"; within:100; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18991; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer CSS style memory corruption attempt"; flow:to_client,established; file_data; content:"<style type="; nocase; content:"text/css"; within:50; nocase; content:"position|3A|absolute"; within:50; nocase; content:"clip|3A 20|rect(1px)"; within:50; nocase; metadata:policy security-ips drop; reference:cve,2010-3962; reference:url,www.microsoft.com/technet/security/advisory/2458511.mspx; classtype:attempted-user; sid:19084; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash player content parsing execution attempt"; flow:established,to_client; flowbits:isset,http.swf; content:"ROPPayload|08|strToInt|09|shellcode"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44503; reference:cve,2010-3654; classtype:attempted-user; sid:18992; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,http.mswmm; content:"|00 12 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2564; reference:url,www.microsoft.com/technet/security/bulletin/MS10-050.mspx; classtype:attempted-user; sid:19063; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|"; within:16; distance:320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|"; within:16; distance:320; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19080; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox appendChild use-after-free attempt"; flow:established,to_client; content:"var cobj=document.createElement(str)"; content:"<script>crashme()|3B|</script>"; distance:0; fast_pattern; reference:cve,2010-3765; classtype:attempted-user; sid:19077; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|"; within:16; distance:320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|"; within:16; distance:320; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|"; distance:0; content:"window|2E|getSelection|28 29 2E|removeAllRanges"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|"; within:48; distance:112; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 DA EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:50; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18989; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox appendChild use-after-free attempt"; flow:established,to_client; content:"var cobj=document.createElement(str)|3B 0A 20 20 20|cobj.id=|22|testcase|22 3B 0A 20 20 20|document.body.appendChild(cobj)|3B|"; content:"for(p in obj){|0A 20 20 20 20 20 20|if(typeof(obj[p])==|22|string|22|){"; distance:0; content:"document.body.removeChild(cobj)|3B|"; distance:0; reference:cve,2010-3765; classtype:attempted-user; sid:19076; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|lowercase|3B|"; fast_pattern:only; content:"document|2E|getElementById|28 22|result|22 29 2E|innerHTML|20 3D 20 22|PASS|22 3B|"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19096; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D stucture heap overflow"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|80 FF FF FF 00|"; within:5; distance:36; content:"|0C 0C 0C 0C FF 00 00 00|"; within:8; distance:25; reference:cve,2009-4002; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19112; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed U3D integer overflow"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FlateDecode/Length 96729/Subtype/U3D/Type/3D/VA"; content:"/TYPE/3DView/XN(DefaultView)>>]>>stream|0D 0A 78 DA AC DD 05|"; within:46; distance:114; reference:cve,2009-3959; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:19117; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code execution attempt"; flow:established,to_client; content:"object.innerHTML = |22 22 3B|"; content:"object.value|3B|"; within:30; content:"|3C|select id|3D 22|object|22 3E 3C|option|3E|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19097; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 45 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|45 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19114; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client, established; content:"BellGothicStd-Bla|00 01 02 80|"; reference:cve,2010-3957; reference:url,www.microsoft.com/technet/security/bulletin/ms10-091.mspx; classtype:attempted-user; sid:19119; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 81 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|81 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19113; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 89 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|89 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19115; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|capitalize|3B|"; fast_pattern:only; content:"document.body.addTextNode"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19095; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader script injection vulnerability"; flow:to_client,established; flowbits:isset,http.pdf; content:"(j)"; content:"(a)"; within:10; distance:5; content:"(v)"; within:10; distance:5; fast_pattern; content:"(a)"; within:10; distance:5; content:"(s)"; within:10; distance:5; content:"(c)"; within:10; distance:5; content:"(r)"; within:10; distance:5; content:"(i)"; within:10; distance:5; content:"(p)"; within:10; distance:5; content:"(t)"; within:10; distance:5; reference:cve,2009-3956; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:19118; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code exeuction attempt"; flow:established,to_client; content:"target.innerHTML = |22 3C|option|3E|PASS|3C 2F|option|3E 22 3B|"; content:"getElementById|28 22|result|22 29|.innerHTML = target.value"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19098; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe flash player newfunction memory corruption attempt"; flow:from_server,established; file_data; content:"|D2 60 3B 40 C1 03 AB 12 E5 00 00 60 E8 03 24 00|"; content:"|46 FF 04 02 75 63 07 60 97 01 24 02 A1 62 04 0E|"; within:16; distance:16; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:19145; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|EB 06 90 90 AD 57 00 30 81 C4 24 16 00 00 C3 41|"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19132; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3945; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; classtype:attempted-user; sid:19156; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,www.microsoft.com/technet/security/bulletin/MS10-033.mspx; classtype:attempted-user; sid:19146; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; classtype:attempted-user; sid:19134; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel PtgExtraArray parsing attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,http.asx; file_data; content:"|FF FA 92 60 41 41 41 41|"; within:8; metadata:policy security-ips drop; reference:bugtraq,42298; reference:cve,2010-1882; reference:url,www.microsoft.com/technet/security/bulletin/MS10-052.mspx; classtype:attempted-user; sid:19144; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; classtype:attempted-user; sid:19133; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|5A 03 00 00 00 15|excelrtd.rtdfunctions"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19131; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT shop at home select installation in progress - clsid detected"; flow:to_client,established; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:policy security-ips drop; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler smasoft webdownloader runtime detection"; flow:to_server,established; content:"User-Agent|3A| My Agent"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/w/webdownloader/Webdownloader1.2.html; classtype:misc-activity; sid:5913; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT mydailyhoroscope update or installation in progress"; flow:to_client,established; content:"07637823-C894-4A52-B3F9-5D77FD8E36A"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07637823-C894-4A52-B3F9-5D77FD8E36A/si"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5799; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker surfsidekick runtime detection - post request"; flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5844; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies SpywareStrike Runtime Detection"; flow:to_server,established; content:"User-Agent|3A| SpywareStrike"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000248.html; reference:url,www.spywareguide.com/product_show.php?id=2438; classtype:misc-activity; sid:6186; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler navexcel search toolbar runtime detection - activate/update"; flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6278; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware lop runtime detection - collect info request 1"; flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; pcre:"/\x2Ftba\x2F(cm)|(cu)\?/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6238; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Adware searchsquire installtime/auto-update"; flow:to_client,established; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware comedy planet runtime detection - collect user information"; flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:policy security-ips drop; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7595; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware enbrowser snackman runtime detection"; flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; reference:url,www.popupsentry.com/S/SNACKMAN.EXE-4411.html; reference:url,www.spywareguide.com/spydet_2334_enbrowser.html; classtype:misc-activity; sid:12224; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string"; flow:to_server,established; content:"User-Agent|3A| SpamBlockerUtility 4.8.4"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.hotbar.html; reference:url,www.spywareguide.com/product_show.php?id=481; classtype:misc-activity; sid:12371; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker soso toolbar runtime detection - get weather information"; flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12486; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler pseudorat 0.1b runtime detection"; flow:to_server,established; content:"User-Agent|3A| ZOMBIES_HTTP_GET"; fast_pattern:only; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PseudoRAT&threatid=10053; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079890; classtype:misc-activity; sid:12482; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection"; flow:established,to_server; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:12679; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler mm.exe runtime detection"; flow:from_server,established; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; reference:url,www.auditmypc.com/process/mm.asp; reference:url,www.fbmsoftware.com/spyware-net/process/mm_exe/1960/; classtype:misc-activity; sid:13813; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rcse 4.4 runtime detection - hijack ie browser"; flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rabio&threatid=169974; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:13849; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update"; flow:from_server,established; flowbits:isset,AdWare_Ejik.ec_Detection; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13939; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home"; flow:from_server,established; flowbits:isset,Dropper_Agent.rqg_Detection; content:"|7C|http|3A|//xxx.ads555.com/rj/cc1.exe|7C|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.Win32.Agent.rqg&threatid=289587; reference:url,virscan.org/report/2b00cbb9a861bd3dd79ef19a75de92f8.html; classtype:misc-activity; sid:13936; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Keylogger emptybase j runtime detection"; flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453117299; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html; classtype:successful-recon-limited; sid:14065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker yoursitebar runtime detection"; flow:to_server,established; content:"User-Agent|3A| istsvc"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=974; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093992; classtype:misc-activity; sid:6281; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware try2find detection"; flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1086; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392; classtype:successful-recon-limited; sid:6189; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware browserpal runtime detection - post user info to server"; flow:to_server,established; content:"User-Agent|3A| Browser Pal"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5954; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer stripplayer runtime detection"; flow:to_server,established; content:"User-Agent|3A| Strip-Player"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=455; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548; classtype:misc-activity; sid:5824; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker smart search runtime detection - get settings"; flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6200; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware windupdates-mediagateway runtime detection - post data"; flow:to_server,established; content:"User-Agent|3A| ZC-Bridge"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094794; classtype:successful-recon-limited; sid:5988; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware forbes runtime detection"; flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=556; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448; classtype:misc-activity; sid:5773; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker painter runtime detection - ping 'alive' signal"; flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5918; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker marketscore runtime detection"; flow:to_server,established; content:"User-Agent|3A| OSSProxy"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=488; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43974; classtype:misc-activity; sid:5760; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopathomeselect runtime detection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware commonname runtime detection"; flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=429; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618; classtype:misc-activity; sid:6212; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker topfive searchassistant detection - post user information to server"; flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5977; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware free access bar runtime detection 1"; flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2493; classtype:misc-activity; sid:5944; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker spediabar user-agent string detected"; flow:to_server,established; content:"User-Agent|3A| Spedia"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6341; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler grokster runtime detection"; flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.securemost.com/articles/rm_grokster.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425; classtype:misc-activity; sid:5776; rev:7;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing"; flow:from_server,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7835; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware roogoo runtime detection - surfing monitor"; flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8545; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware onetoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Adw.OneToolbar&threatid=43856; reference:url,www.spywareguide.com/product_show.php?id=2746; classtype:successful-recon-limited; sid:6191; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcastpc runtime detection - get config"; flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5989; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15565; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server"; flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16116; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trojan.Win32.QQFish contact to server attempt"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:established,to_client; content:"WebViewFolderIcon.WebViewFolderIcon.1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:8419; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Trident HTMLEditor ActiveX Object Access"; flow:from_server,established; content:"3050F4F5-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4F5-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4893; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Mixing Renderer 9 ActiveX Object Access"; flow:from_server,established; content:"51B4ABF3-748F-4E3B-A276-C828330E926A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*51B4ABF3-748F-4E3B-A276-C828330E926A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4902; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|C|00|B|00|1|00|F|00|E|00|3|00|-|00|B|00|0|00|5|00|E|00|-|00|4|00|F|00|0|00|E|00|-|00|8|00|1|00|8|00|F|00|-|00|C|00|8|00|3|00|E|00|D|00|5|00|A|00|0|00|3|00|3|00|2|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x00C\x00B\x001\x00F\x00E\x003\x00-\x00B\x000\x005\x00E\x00-\x004\x00F\x000\x00E\x00-\x008\x001\x008\x00F\x00-\x00C\x008\x003\x00E\x00D\x005\x00A\x000\x003\x003\x002\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7479; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8789; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStFrObject Class ActiveX Object Access"; flow:from_server,established; content:"B3E0E785-BD78-4366-9560-B7DABE2723BE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B3E0E785-BD78-4366-9560-B7DABE2723BE/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4209; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call"; flow:established,to_client; content:"TLI.TLIApplication"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12270; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Certificate Enrollment ActiveX Object Access"; flow:from_server,established; content:"43F8F289-7A20-11D0-8F06-00C04FC295E1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*43F8F289-7A20-11D0-8F06-00C04FC295E1/si"; metadata:policy security-ips drop; reference:bugtraq,5593; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4184; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID access"; flow:established,to_client; content:"B6FFC24C-7E13-11D0-9B47-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FFC24C-7E13-11D0-9B47-00C04FC2F51D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7950; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Index Server Scope Administration ActiveX Object Access"; flow:from_server,established; content:"3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4200; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic WebClass ActiveX Object Access"; flow:from_server,established; content:"6B7F1602-D44C-11D0-A7D9-AE3D17000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B7F1602-D44C-11D0-A7D9-AE3D17000000/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4218; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|B|00|3|00|3|00|9|00|A|00|4|00|6|00|-|00|7|00|C|00|4|00|9|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|B|00|F|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|7|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00B\x003\x003\x009\x00A\x004\x006\x00-\x007\x00C\x004\x009\x00-\x001\x001\x00d\x002\x00-\x009\x00B\x00F\x003\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x007\x008\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8754; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Route ActiveX Object Access"; flow:from_server,established; content:"4CECCEB2-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB2-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6008; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID access"; flow:established,to_client; content:"EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EEED4C20-7F1B-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8011; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|4|00|7|00|7|00|1|00|6|00|9|00|-|00|4|00|7|00|5|00|2|00|-|00|4|00|1|00|D|00|C|00|-|00|A|00|B|00|0|00|F|00|-|00|C|00|5|00|0|00|E|00|B|00|A|00|7|00|5|00|6|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x004\x007\x007\x001\x006\x009\x00-\x004\x007\x005\x002\x00-\x004\x001\x00D\x00C\x00-\x00A\x00B\x000\x00F\x00-\x00C\x005\x000\x00E\x00B\x00A\x007\x005\x006\x004\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7891; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID access"; flow:established,to_client; content:"D670D0B3-05AB-4115-9F87-D983EF1AC747"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D670D0B3-05AB-4115-9F87-D983EF1AC747/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7894; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID access"; flow:established,to_client; content:"4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4EFE2452-168A-11D1-BC76-00C04FB9453B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8029; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID access"; flow:established,to_client; content:"9CDE7341-3C20-11D0-A330-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CDE7341-3C20-11D0-A330-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8801; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8793; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|2|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x002\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7957; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|B|00|9|00|B|00|C|00|E|00|D|00|D|00|-|00|E|00|C|00|7|00|E|00|-|00|4|00|7|00|E|00|1|00|-|00|9|00|3|00|2|00|2|00|-|00|D|00|4|00|A|00|2|00|1|00|0|00|6|00|1|00|7|00|1|00|1|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00B\x009\x00B\x00C\x00E\x00D\x00D\x00-\x00E\x00C\x007\x00E\x00-\x004\x007\x00E\x001\x00-\x009\x003\x002\x002\x00-\x00D\x004\x00A\x002\x001\x000\x006\x001\x007\x001\x001\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8364; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|3|00|5|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x003\x005\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7869; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|0|00|B|00|4|00|7|00|9|00|1|00|F|00|-|00|4|00|7|00|3|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x000\x00B\x004\x007\x009\x001\x00F\x00-\x004\x007\x003\x001\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8745; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID access"; flow:established,to_client; content:"ADC6CB86-424C-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADC6CB86-424C-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7910; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX Object Access"; flow:from_server,established; content:"0002E500-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E500-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4176; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|2|00|B|00|F|00|2|00|5|00|D|00|5|00|-|00|8|00|C|00|1|00|7|00|-|00|4|00|B|00|2|00|3|00|-|00|B|00|C|00|8|00|0|00|-|00|D|00|3|00|4|00|8|00|8|00|A|00|B|00|D|00|D|00|C|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x002\x00B\x00F\x002\x005\x00D\x005\x00-\x008\x00C\x001\x007\x00-\x004\x00B\x002\x003\x00-\x00B\x00C\x008\x000\x00-\x00D\x003\x004\x008\x008\x00A\x00B\x00D\x00D\x00C\x006\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8376; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID access"; flow:established,to_client; content:"E31E87C4-86EA-4940-9B8A-5BD5D179A737"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E31E87C4-86EA-4940-9B8A-5BD5D179A737/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7922; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID access"; flow:established,to_client; content:"1B00725B-C455-4DE6-BFB6-AD540AD427CD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B00725B-C455-4DE6-BFB6-AD540AD427CD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7880; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8781; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"C3DFA998-A486-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3DFA998-A486-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4191; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID access"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6684; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID access"; flow:established,to_client; content:"9be8d7b2-329c-442a-a4ac-aba9d7572602"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9be8d7b2-329c-442a-a4ac-aba9d7572602/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7864; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|5|00|4|00|4|00|C|00|2|00|4|00|-|00|F|00|D|00|0|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|6|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|4|00|B|00|5|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x005\x004\x004\x00C\x002\x004\x00-\x00F\x00D\x000\x00B\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x006\x003\x00-\x000\x000\x00A\x00A\x000\x000\x004\x004\x00B\x005\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7434; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|A|00|4|00|A|00|9|00|9|00|C|00|-|00|8|00|C|00|3|00|D|00|-|00|4|00|9|00|9|00|E|00|-|00|A|00|3|00|8|00|6|00|-|00|E|00|0|00|7|00|4|00|3|00|D|00|F|00|F|00|8|00|F|00|B|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00A\x004\x00A\x009\x009\x00C\x00-\x008\x00C\x003\x00D\x00-\x004\x009\x009\x00E\x00-\x00A\x003\x008\x006\x00-\x00E\x000\x007\x004\x003\x00D\x00F\x00F\x008\x00F\x00B\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8736; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID access"; flow:established,to_client; content:"860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860D28D0-8BF4-11CE-BE59-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8007; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB43-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8045; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID access"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7484; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"1fb464c8-09bb-4017-a2f5-eb742f04392f"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1fb464c8-09bb-4017-a2f5-eb742f04392f/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4185; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID access"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7494; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|B|00|3|00|A|00|E|00|C|00|B|00|-|00|D|00|F|00|D|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|D|00|A|00|A|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|8|00|5|00|C|00|F|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00B\x003\x00A\x00E\x00C\x00B\x00-\x00D\x00F\x00D\x006\x00-\x001\x001\x00D\x001\x00-\x009\x00D\x00A\x00A\x00-\x000\x000\x008\x000\x005\x00F\x008\x005\x00C\x00F\x00E\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7996; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MSVTDGridCtrl7 ActiveX Object Access"; flow:from_server,established; content:"6F9F3481-84DD-4B14-B09C-6B4288ECCDE8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6F9F3481-84DD-4B14-B09C-6B4288ECCDE8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4234; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Trouble Shooter ActiveX Object Access"; flow:from_server,established; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4B106874-DD36-11D0-8B44-00A024DD9EFF/si"; metadata:policy security-ips drop; reference:bugtraq,8833; reference:cve,2003-0662; reference:url,www.microsoft.com/technet/security/bulletin/MS03-042.mspx; classtype:attempted-user; sid:4145; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID access"; flow:established,to_client; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7983; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|4|00|7|00|8|00|F|00|6|00|4|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x004\x007\x008\x00F\x006\x004\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8038; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray ActiveX Object Access"; flow:from_server,established; content:"35CEC8A3-2BE6-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*35CEC8A3-2BE6-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4231; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID access"; flow:established,to_client; content:"D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D99F7670-7F1A-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8009; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8722; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|F|00|9|00|D|00|1|00|0|00|-|00|3|00|B|00|5|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|3|00|E|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x005\x00D\x00F\x009\x00D\x001\x000\x00-\x003\x00B\x005\x002\x00-\x001\x001\x00D\x001\x00-\x008\x003\x00E\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00D\x00C\x008\x004\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7986; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A761-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7991; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|1|00|0|00|8|00|7|00|2|00|7|00|0|00|-|00|D|00|3|00|4|00|8|00|-|00|4|00|3|00|2|00|C|00|-|00|8|00|9|00|9|00|E|00|-|00|2|00|D|00|2|00|F|00|3|00|8|00|F|00|F|00|2|00|9|00|A|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x001\x000\x008\x007\x002\x007\x000\x00-\x00D\x003\x004\x008\x00-\x004\x003\x002\x00C\x00-\x008\x009\x009\x00E\x00-\x002\x00D\x002\x00F\x003\x008\x00F\x00F\x002\x009\x00A\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7489; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8826; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|4|00|2|00|D|00|3|00|8|00|5|00|A|00|-|00|D|00|5|00|B|00|F|00|-|00|4|00|2|00|7|00|D|00|-|00|9|00|A|00|F|00|2|00|-|00|8|00|8|00|2|00|5|00|8|00|F|00|B|00|7|00|3|00|E|00|A|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x004\x002\x00D\x003\x008\x005\x00A\x00-\x00D\x005\x00B\x00F\x00-\x004\x002\x007\x00D\x00-\x009\x00A\x00F\x002\x00-\x008\x008\x002\x005\x008\x00F\x00B\x007\x003\x00E\x00A\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8400; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID access"; flow:established,to_client; content:"7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7849596A-48EA-486E-8937-A2A3009F31A9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7970; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player Active Movie ActiveX Object Access"; flow:from_server,established; content:"05589FA1-C356-11CE-BF01-00AA0055595A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05589FA1-C356-11CE-BF01-00AA0055595A/si"; metadata:policy security-ips drop; reference:bugtraq,1221; reference:cve,2000-0400; classtype:attempted-user; sid:4158; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Marquee Control ActiveX Object Access"; flow:from_server,established; content:"250770F3-6AF2-11CF-A915-008029E31FCD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*250770F3-6AF2-11CF-A915-008029E31FCD/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4203; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|4|00|5|00|B|00|0|00|B|00|0|00|-|00|7|00|2|00|D|00|8|00|-|00|4|00|6|00|5|00|2|00|-|00|A|00|E|00|5|00|F|00|-|00|5|00|E|00|3|00|E|00|2|00|6|00|6|00|B|00|E|00|7|00|E|00|D|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x004\x005\x00B\x000\x00B\x000\x00-\x007\x002\x00D\x008\x00-\x004\x006\x005\x002\x00-\x00A\x00E\x005\x00F\x00-\x005\x00E\x003\x00E\x002\x006\x006\x00B\x00E\x007\x00E\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7453; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Start Menu ActiveX Object Access"; flow:from_server,established; content:"4622AD11-FF23-11D0-8D34-00A0C90F2719"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4622AD11-FF23-11D0-8D34-00A0C90F2719/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4228; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID access"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7446; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ProxyStub Dispatch ActiveX Object Access"; flow:from_server,established; content:"00020420-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020420-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4221; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID access"; flow:established,to_client; content:"65BCBEE4-7728-41A0-97BE-14E1CAE36AAE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*65BCBEE4-7728-41A0-97BE-14E1CAE36AAE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8397; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID access"; flow:established,to_client; content:"A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7898; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8810; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Property Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710C-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710C-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4909; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|6|00|2|00|7|00|9|00|7|00|E|00|-|00|1|00|2|00|4|00|9|00|-|00|4|00|5|00|9|00|6|00|-|00|9|00|F|00|F|00|7|00|-|00|A|00|C|00|6|00|D|00|8|00|5|00|1|00|A|00|5|00|4|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x006\x002\x007\x009\x007\x00E\x00-\x001\x002\x004\x009\x00-\x004\x005\x009\x006\x00-\x009\x00F\x00F\x007\x00-\x00A\x00C\x006\x00D\x008\x005\x001\x00A\x005\x004\x002\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7887; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID access"; flow:established,to_client; content:"3A04D93B-1EDD-4F3F-A375-A03EC19572C4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A04D93B-1EDD-4F3F-A375-A03EC19572C4/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7946; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|5|00|B|00|7|00|F|00|6|00|3|00|-|00|F|00|0|00|6|00|F|00|-|00|4|00|3|00|3|00|1|00|-|00|8|00|A|00|2|00|6|00|-|00|3|00|3|00|9|00|E|00|0|00|3|00|C|00|0|00|A|00|E|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x005\x00B\x007\x00F\x006\x003\x00-\x00F\x000\x006\x00F\x00-\x004\x003\x003\x001\x00-\x008\x00A\x002\x006\x00-\x003\x003\x009\x00E\x000\x003\x00C\x000\x00A\x00E\x003\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8370; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID access"; flow:established,to_client; content:"2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2A6EB050-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8013; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB42-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8043; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8778; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID access"; flow:established,to_client; content:"E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E846F0A0-D367-11D1-8286-00A0C9231C29/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7993; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISupportErrorInfo Interface ActiveX Object Access"; flow:from_server,established; content:"DF0B3D60-548F-101B-8E65-08002B2BD119"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DF0B3D60-548F-101B-8E65-08002B2BD119/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4899; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID access"; flow:established,to_client; content:"68A499C7-F9B0-11D2-93D4-00A0C981B035"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68A499C7-F9B0-11D2-93D4-00A0C981B035/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7882; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MS Audio Decompressor Control Property Page ActiveX Object Access"; flow:from_server,established; content:"8FE7E181-BB96-11D2-A1CB-00609778EA66"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8FE7E181-BB96-11D2-A1CB-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4207; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|D|00|C|00|C|00|4|00|8|00|7|00|-|00|A|00|A|00|4|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|F|00|4|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|1|00|1|00|C|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x00D\x00C\x00C\x004\x008\x007\x00-\x00A\x00A\x004\x008\x00-\x001\x001\x00D\x001\x00-\x008\x00F\x004\x00F\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x006\x001\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8002; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8828; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8817; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8808; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8838; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|7|00|B|00|6|00|C|00|0|00|4|00|A|00|-|00|C|00|B|00|B|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|B|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|4|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x007\x00B\x006\x00C\x000\x004\x00A\x00-\x00C\x00B\x00B\x005\x00-\x001\x001\x00D\x000\x00-\x00B\x00B\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x004\x001\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8022; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID access"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7478; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|E|00|C|00|F|00|5|00|D|00|2|00|E|00|-|00|7|00|A|00|1|00|8|00|-|00|4|00|D|00|D|00|2|00|-|00|B|00|D|00|C|00|D|00|-|00|2|00|9|00|B|00|6|00|F|00|6|00|1|00|5|00|B|00|4|00|4|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00E\x00C\x00F\x005\x00D\x002\x00E\x00-\x007\x00A\x001\x008\x00-\x004\x00D\x00D\x002\x00-\x00B\x00D\x00C\x00D\x00-\x002\x009\x00B\x006\x00F\x006\x001\x005\x00B\x004\x004\x008\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7469; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Files Viewer ActiveX Object Access"; flow:from_server,established; content:"970C7E08-05A7-11D0-89AA-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*970C7E08-05A7-11D0-89AA-00A0C9054129/si"; metadata:policy security-ips drop; reference:bugtraq,5489; reference:cve,2002-0975; reference:url,www.microsoft.com/technet/security/bulletin/MS02-066.mspx; classtype:attempted-user; sid:4179; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID access"; flow:established,to_client; content:"E71B4063-3E59-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E71B4063-3E59-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7924; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|4|00|C|00|7|00|9|00|5|00|9|00|1|00|-|00|D|00|0|00|D|00|E|00|-|00|4|00|9|00|C|00|4|00|-|00|B|00|A|00|3|00|C|00|-|00|A|00|4|00|5|00|A|00|B|00|7|00|0|00|0|00|3|00|3|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x004\x00C\x007\x009\x005\x009\x001\x00-\x00D\x000\x00D\x00E\x00-\x004\x009\x00C\x004\x00-\x00B\x00A\x003\x00C\x00-\x00A\x004\x005\x00A\x00B\x007\x000\x000\x003\x003\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7455; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID access"; flow:established,to_client; content:"1853E19A-4E54-4190-8DEB-2E1CC947CD60"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1853E19A-4E54-4190-8DEB-2E1CC947CD60/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7918; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|4|00|7|00|6|00|C|00|B|00|F|00|F|00|-|00|E|00|2|00|2|00|9|00|-|00|4|00|5|00|2|00|4|00|-|00|B|00|6|00|B|00|7|00|-|00|2|00|2|00|8|00|A|00|3|00|1|00|2|00|9|00|D|00|1|00|C|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x004\x007\x006\x00C\x00B\x00F\x00F\x00-\x00E\x002\x002\x009\x00-\x004\x005\x002\x004\x00-\x00B\x006\x00B\x007\x00-\x002\x002\x008\x00A\x003\x001\x002\x009\x00D\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7471; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8798; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|2|00|3|00|E|00|2|00|8|00|8|00|2|00|-|00|F|00|C|00|0|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|A|00|7|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|6|00|A|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x002\x003\x00E\x002\x008\x008\x002\x00-\x00F\x00C\x000\x00E\x00-\x001\x001\x00D\x001\x00-\x009\x00A\x007\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x006\x00A\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7941; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Record Navigation Control ActiveX Object Access"; flow:from_server,established; content:"0002E531-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4178; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID access"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7480; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|F|00|7|00|6|00|7|00|0|00|-|00|7|00|F|00|1|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x009\x00F\x007\x006\x007\x000\x00-\x007\x00F\x001\x00A\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8010; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Layout ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6002; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID access"; flow:established,to_client; content:"510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*510A4910-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8015; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Generic Class ActiveX Object Access"; flow:from_server,established; content:"4FAAB301-CEF6-477C-9F58-F601039E9B78"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4FAAB301-CEF6-477C-9F58-F601039E9B78/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4212; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Adodb.Stream ActiveX Object Access"; flow:from_server,established; content:"00000566-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:4982; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|1|00|8|00|8|00|F|00|7|00|A|00|3|00|-|00|A|00|0|00|4|00|E|00|-|00|4|00|1|00|3|00|E|00|-|00|9|00|9|00|D|00|1|00|-|00|D|00|7|00|9|00|A|00|4|00|5|00|F|00|7|00|0|00|3|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x001\x008\x008\x00F\x007\x00A\x003\x00-\x00A\x000\x004\x00E\x00-\x004\x001\x003\x00E\x00-\x009\x009\x00D\x001\x00-\x00D\x007\x009\x00A\x004\x005\x00F\x007\x000\x003\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7473; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID access"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7427; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|D|00|0|00|0|00|0|00|2|00|0|00|C|00|-|00|8|00|B|00|9|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|1|00|6|00|2|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00D\x000\x000\x000\x002\x000\x00C\x00-\x008\x00B\x009\x005\x00-\x001\x001\x00D\x001\x00-\x008\x002\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x001\x006\x002\x005\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7907; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:established,to_client; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7985; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray Invoker ActiveX Object Access"; flow:from_server,established; content:"730F6CDC-2C86-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*730F6CDC-2C86-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4232; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell Automation Service ActiveX Object Access"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; metadata:policy security-ips drop; reference:bugtraq,9335; classtype:attempted-user; sid:4168; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|5|00|1|00|6|00|F|00|F|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x005\x001\x006\x00F\x00F\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8036; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"791fa017-2de3-492e-acc5-53c67a2b94d0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*791fa017-2de3-492e-acc5-53c67a2b94d0/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4187; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Active Setup ActiveX Object Access"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; metadata:policy security-ips drop; reference:bugtraq,775; reference:cve,2000-0329; reference:url,www.microsoft.com/technet/security/bulletin/MS99-048.mspx; classtype:attempted-user; sid:4154; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|3|00|E|00|5|00|0|00|B|00|D|00|-|00|A|00|9|00|D|00|7|00|-|00|4|00|7|00|2|00|1|00|-|00|B|00|0|00|E|00|1|00|-|00|0|00|0|00|C|00|B|00|4|00|2|00|A|00|0|00|A|00|7|00|4|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x003\x00E\x005\x000\x00B\x00D\x00-\x00A\x009\x00D\x007\x00-\x004\x007\x002\x001\x00-\x00B\x000\x00E\x001\x00-\x000\x000\x00C\x00B\x004\x002\x00A\x000\x00A\x007\x004\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7430; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID access"; flow:established,to_client; content:"C4D2D8E0-D1DD-11CE-940F-008029004347"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C4D2D8E0-D1DD-11CE-940F-008029004347/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8725; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940280-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940280-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4193; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID access"; flow:established,to_client; content:"03F998B2-0E00-11D3-A498-00104B6EB52E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03F998B2-0E00-11D3-A498-00104B6EB52E/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7878; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|E|00|E|00|4|00|2|00|2|00|9|00|3|00|-|00|C|00|3|00|1|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|6|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|A|00|0|00|6|00|E|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00E\x00E\x004\x002\x002\x009\x003\x00-\x00C\x003\x001\x005\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x006\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x00A\x000\x006\x00E\x001\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7998; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID access"; flow:established,to_client; content:"F9EFBEC2-4302-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9EFBEC2-4302-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6517; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DocHost User Interface Handler ActiveX Object Access"; flow:from_server,established; content:"7057E952-BD1B-11D1-8919-00C04FC2C836"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7057E952-BD1B-11D1-8919-00C04FC2C836/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4226; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX cfw Class ActiveX Object Access"; flow:from_server,established; content:"ECABAFC0-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC0-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4891; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID access"; flow:established,to_client; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47F59200-8783-11D2-8343-00A0C945A819/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8391; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID access"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7492; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID access"; flow:established,to_client; content:"99EA8527-6A6A-40FE-A67C-82CF763902D0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99EA8527-6A6A-40FE-A67C-82CF763902D0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8407; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 7+ ActiveX Object Access"; flow:from_server,established; content:"6BF52A52-394A-11D3-B153-00C04F79FAA6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6BF52A52-394A-11D3-B153-00C04F79FAA6/si"; metadata:policy security-ips drop; reference:bugtraq,12031; reference:bugtraq,12032; reference:bugtraq,2167; reference:cve,2001-0148; reference:cve,2004-1324; reference:cve,2004-1325; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4156; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX clsid access"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7435; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID access"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7448; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|0|00|5|00|E|00|6|00|9|00|0|00|-|00|6|00|7|00|8|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|7|00|5|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|6|00|4|00|F|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x000\x005\x00E\x006\x009\x000\x00-\x006\x007\x008\x00D\x00-\x001\x001\x00D\x001\x00-\x00B\x007\x005\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x006\x004\x00F\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8412; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|4|00|4|00|F|00|4|00|8|00|0|00|6|00|-|00|E|00|8|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|6|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|3|00|0|00|8|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x004\x004\x00F\x004\x008\x000\x006\x00-\x00E\x008\x00A\x008\x00-\x001\x001\x00D\x002\x00-\x009\x006\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x003\x000\x008\x007\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7988; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID access"; flow:established,to_client; content:"D17506C3-6B26-11D0-8914-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D17506C3-6B26-11D0-8914-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8843; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8790; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID access"; flow:established,to_client; content:"18C628EE-962A-11D2-8D08-00A0C9441E20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18C628EE-962A-11D2-8D08-00A0C9441E20/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8379; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Registration Wizard ActiveX Object Access"; flow:from_server,established; content:"50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50E5E3D1-C07E-11D0-B9FD-00A0249F6B00/si"; metadata:policy security-ips drop; reference:bugtraq,671; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4171; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Root ActiveX Object Access"; flow:from_server,established; content:"6E22710F-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710F-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4912; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"BC5F1E51-5110-11D1-AFF5-006097C9A284"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC5F1E51-5110-11D1-AFF5-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4198; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8796; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID access"; flow:established,to_client; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4C6F-AA96-4E4DC6DC291E/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7914; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|2|00|8|00|8|00|3|00|6|00|6|00|7|00|-|00|E|00|9|00|5|00|C|00|-|00|4|00|4|00|3|00|D|00|-|00|A|00|C|00|9|00|6|00|-|00|4|00|C|00|A|00|C|00|A|00|2|00|7|00|B|00|E|00|B|00|6|00|E|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x002\x008\x008\x003\x006\x006\x007\x00-\x00E\x009\x005\x00C\x00-\x004\x004\x003\x00D\x00-\x00A\x00C\x009\x006\x00-\x004\x00C\x00A\x00C\x00A\x002\x007\x00B\x00E\x00B\x006\x00E\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7481; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|9|00|A|00|D|00|9|00|0|00|E|00|F|00|-|00|1|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x009\x00A\x00D\x009\x000\x00E\x00F\x00-\x001\x00C\x002\x000\x00-\x001\x001\x00D\x001\x00-\x008\x008\x000\x001\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7953; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|3|00|1|00|D|00|1|00|1|00|-|00|6|00|F|00|D|00|2|00|-|00|4|00|6|00|5|00|9|00|-|00|A|00|D|00|7|00|5|00|-|00|1|00|5|00|5|00|F|00|A|00|1|00|4|00|3|00|F|00|4|00|2|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x003\x001\x00D\x001\x001\x00-\x006\x00F\x00D\x002\x00-\x004\x006\x005\x009\x00-\x00A\x00D\x007\x005\x00-\x001\x005\x005\x00F\x00A\x001\x004\x003\x00F\x004\x002\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7443; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x007\x00F\x005\x009\x002\x000\x000\x00-\x008\x007\x008\x003\x00-\x001\x001\x00D\x002\x00-\x008\x003\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x004\x005\x00A\x008\x001\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8392; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|C|00|D|00|E|00|7|00|3|00|4|00|1|00|-|00|3|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|3|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00C\x00D\x00E\x007\x003\x004\x001\x00-\x003\x00C\x002\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x003\x000\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8802; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID access"; flow:established,to_client; content:"F1029E5B-CB5B-11D0-8D59-00C04FD91AC0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F1029E5B-CB5B-11D0-8D59-00C04FD91AC0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7974; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|C|00|6|00|8|00|9|00|5|00|5|00|E|00|-|00|F|00|9|00|6|00|5|00|-|00|4|00|2|00|4|00|9|00|-|00|8|00|E|00|1|00|8|00|-|00|F|00|0|00|9|00|7|00|7|00|B|00|1|00|D|00|2|00|8|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00C\x006\x008\x009\x005\x005\x00E\x00-\x00F\x009\x006\x005\x00-\x004\x002\x004\x009\x00-\x008\x00E\x001\x008\x00-\x00F\x000\x009\x007\x007\x00B\x001\x00D\x002\x008\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7438; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|2|00|9|00|0|00|B|00|D|00|5|00|-|00|4|00|8|00|A|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|4|00|3|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|C|00|3|00|F|00|B|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x002\x009\x000\x00B\x00D\x005\x00-\x004\x008\x00A\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x004\x003\x002\x00-\x000\x000\x006\x000\x000\x008\x00C\x003\x00F\x00B\x00F\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8065; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID access"; flow:established,to_client; content:"CD00020C-8B95-11D1-82DB-00C04FB1625D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CD00020C-8B95-11D1-82DB-00C04FB1625D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7906; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|6|00|7|00|0|00|D|00|0|00|B|00|3|00|-|00|0|00|5|00|A|00|B|00|-|00|4|00|1|00|1|00|5|00|-|00|9|00|F|00|8|00|7|00|-|00|D|00|9|00|8|00|3|00|E|00|F|00|1|00|A|00|C|00|7|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x006\x007\x000\x00D\x000\x00B\x003\x00-\x000\x005\x00A\x00B\x00-\x004\x001\x001\x005\x00-\x009\x00F\x008\x007\x00-\x00D\x009\x008\x003\x00E\x00F\x001\x00A\x00C\x007\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7895; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|8|00|A|00|4|00|9|00|9|00|C|00|7|00|-|00|F|00|9|00|B|00|0|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|D|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|8|00|1|00|B|00|0|00|3|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x008\x00A\x004\x009\x009\x00C\x007\x00-\x00F\x009\x00B\x000\x00-\x001\x001\x00D\x002\x00-\x009\x003\x00D\x004\x00-\x000\x000\x00A\x000\x00C\x009\x008\x001\x00B\x000\x003\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7883; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|1|00|0|00|5|00|B|00|C|00|3|00|-|00|C|00|0|00|6|00|4|00|-|00|4|00|5|00|F|00|1|00|-|00|A|00|D|00|5|00|3|00|-|00|6|00|D|00|8|00|A|00|8|00|5|00|7|00|8|00|D|00|0|00|1|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x001\x000\x005\x00B\x00C\x003\x00-\x00C\x000\x006\x004\x00-\x004\x005\x00F\x001\x00-\x00A\x00D\x005\x003\x00-\x006\x00D\x008\x00A\x008\x005\x007\x008\x00D\x000\x001\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7491; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID access"; flow:established,to_client; content:"283807B5-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B5-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8765; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06723E09-F4C2-43c8-8358-09FCD1DB0766/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8373; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8819; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT PolyLine Control 2 ActiveX Object Access"; flow:from_server,established; content:"D24D4453-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4453-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4204; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|D|00|3|00|6|00|C|00|E|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00D\x003\x006\x00C\x00E\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8024; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4163; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Progress Ctl ActiveX Object Access"; flow:from_server,established; content:"0006F071-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F071-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4900; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|1|00|7|00|5|00|0|00|6|00|C|00|3|00|-|00|6|00|B|00|2|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x001\x007\x005\x000\x006\x00C\x003\x00-\x006\x00B\x002\x006\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x004\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8844; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|1|00|0|00|A|00|4|00|9|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x001\x000\x00A\x004\x009\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8016; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|0|00|C|00|0|00|7|00|D|00|5|00|6|00|-|00|7|00|C|00|6|00|9|00|-|00|4|00|3|00|F|00|1|00|-|00|B|00|4|00|A|00|0|00|-|00|2|00|5|00|F|00|5|00|A|00|1|00|1|00|F|00|A|00|B|00|1|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x000\x00C\x000\x007\x00D\x005\x006\x00-\x007\x00C\x006\x009\x00-\x004\x003\x00F\x001\x00-\x00B\x004\x00A\x000\x00-\x002\x005\x00F\x005\x00A\x001\x001\x00F\x00A\x00B\x001\x009\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8368; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|F|00|1|00|5|00|8|00|E|00|1|00|-|00|C|00|B|00|0|00|4|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|E|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00F\x001\x005\x008\x00E\x001\x00-\x00C\x00B\x000\x004\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x00E\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8050; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|1|00|1|00|4|00|5|00|5|00|5|00|0|00|-|00|A|00|4|00|5|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|9|00|0|00|2|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|2|00|3|00|9|00|0|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x001\x001\x004\x005\x005\x005\x000\x00-\x00A\x004\x005\x004\x00-\x001\x001\x00D\x004\x00-\x009\x000\x002\x000\x00-\x000\x000\x00D\x000\x00B\x007\x002\x003\x009\x000\x008\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7889; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID access"; flow:established,to_client; content:"AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF604EFE-8897-11D1-B944-00A0C90312E1/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7948; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Interface Definition ActiveX Object Access"; flow:from_server,established; content:"6E227109-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227109-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4906; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC1-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC1-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8834; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|F|00|B|00|1|00|F|00|C|00|7|00|-|00|2|00|7|00|0|00|D|00|-|00|4|00|9|00|8|00|6|00|-|00|B|00|2|00|9|00|9|00|-|00|F|00|E|00|C|00|F|00|3|00|F|00|0|00|E|00|4|00|2|00|D|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00F\x00B\x001\x00F\x00C\x007\x00-\x002\x007\x000\x00D\x00-\x004\x009\x008\x006\x00-\x00B\x002\x009\x009\x00-\x00F\x00E\x00C\x00F\x003\x00F\x000\x00E\x004\x002\x00D\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7449; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID access"; flow:established,to_client; content:"18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18AB439E-FCF4-40D4-90DA-F79BAA3B0655/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7999; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|9|00|A|00|2|00|C|00|2|00|A|00|6|00|-|00|4|00|7|00|7|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|B|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x009\x00A\x002\x00C\x002\x00A\x006\x00-\x004\x007\x007\x008\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x00B\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7432; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8768; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID access"; flow:established,to_client; content:"FD853CD9-7F86-11D0-8252-00C04FD85AB4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD853CD9-7F86-11D0-8252-00C04FD85AB4/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7916; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID access"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7450; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|1|00|2|00|3|00|2|00|E|00|E|00|-|00|4|00|4|00|D|00|7|00|-|00|4|00|4|00|9|00|4|00|-|00|A|00|B|00|8|00|B|00|-|00|C|00|C|00|6|00|1|00|B|00|1|00|0|00|E|00|2|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x001\x002\x003\x002\x00E\x00E\x00-\x004\x004\x00D\x007\x00-\x004\x004\x009\x004\x00-\x00A\x00B\x008\x00B\x00-\x00C\x00C\x006\x001\x00B\x001\x000\x00E\x002\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7485; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft TipGW Init ActiveX Object Access"; flow:from_server,established; content:"F117831B-C052-11D1-B1C0-00C04FC2F3EF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F117831B-C052-11D1-B1C0-00C04FC2F3EF/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4214; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|D|00|4|00|5|00|2|00|9|00|E|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|5|00|5|00|0|00|-|00|A|00|2|00|E|00|0|00|-|00|C|00|2|00|5|00|D|00|7|00|C|00|5|00|C|00|C|00|0|00|D|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00D\x004\x005\x002\x009\x00E\x00-\x008\x004\x00E\x000\x00-\x004\x005\x005\x000\x00-\x00A\x002\x00E\x000\x00-\x00C\x002\x005\x00D\x007\x00C\x005\x00C\x00C\x000\x00D\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7457; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID access"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7476; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID access"; flow:established,to_client; content:"B1549E58-3894-11D2-BB7F-00A0C999C4C1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1549E58-3894-11D2-BB7F-00A0C999C4C1/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8750; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID access"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7464; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|C|00|6|00|2|00|8|00|E|00|E|00|-|00|9|00|6|00|2|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|D|00|0|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|4|00|1|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00C\x006\x002\x008\x00E\x00E\x00-\x009\x006\x002\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x00D\x000\x008\x00-\x000\x000\x00A\x000\x00C\x009\x004\x004\x001\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8380; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository ActiveX Object Access"; flow:from_server,established; content:"6E227101-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227101-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4225; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Image Control 1.0 ActiveX Object Access"; flow:from_server,established; content:"D4A97620-8E8F-11CF-93CD-00AA00C08FDF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D4A97620-8E8F-11CF-93CD-00AA00C08FDF/si"; metadata:policy security-ips drop; reference:bugtraq,12477; reference:url,www.microsoft.com/technet/security/bulletin/MS05-014.mspx; classtype:attempted-user; sid:4165; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|3|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x003\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7955; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID access"; flow:established,to_client; content:"E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0F158E1-CB04-11D0-BD4E-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8049; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|B|00|B|00|3|00|1|00|0|00|-|00|5|00|D|00|0|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|3|00|B|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00B\x00B\x003\x001\x000\x00-\x005\x00D\x000\x001\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x003\x00B\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8042; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8787; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|C|00|A|00|B|00|B|00|0|00|B|00|F|00|-|00|7|00|F|00|1|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|7|00|8|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|7|00|E|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00C\x00A\x00B\x00B\x000\x00B\x00F\x00-\x007\x00F\x001\x009\x00-\x001\x001\x00D\x002\x00-\x009\x007\x008\x00E\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x007\x00E\x002\x00A\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8034; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access"; flow:from_server,established; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; metadata:policy security-ips drop; reference:bugtraq,793; reference:cve,1999-1110; classtype:attempted-user; sid:4152; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID access"; flow:established,to_client; content:"8241F015-84D3-11d2-97E6-0000F803FF7A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8241F015-84D3-11d2-97E6-0000F803FF7A/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7912; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|E|00|F|00|1|00|0|00|F|00|A|00|2|00|-|00|3|00|5|00|5|00|E|00|-|00|4|00|E|00|0|00|6|00|-|00|9|00|3|00|8|00|1|00|-|00|9|00|B|00|2|00|4|00|D|00|7|00|F|00|7|00|C|00|C|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00E\x00F\x001\x000\x00F\x00A\x002\x00-\x003\x005\x005\x00E\x00-\x004\x00E\x000\x006\x00-\x009\x003\x008\x001\x00-\x009\x00B\x002\x004\x00D\x007\x00F\x007\x00C\x00C\x008\x008\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7931; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Query Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"2C10A98F-D64F-43B4-BED6-DD0E1BF2074C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C10A98F-D64F-43B4-BED6-DD0E1BF2074C/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4233; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|b|00|e|00|8|00|d|00|7|00|b|00|2|00|-|00|3|00|2|00|9|00|c|00|-|00|4|00|4|00|2|00|a|00|-|00|a|00|4|00|a|00|c|00|-|00|a|00|b|00|a|00|9|00|d|00|7|00|5|00|7|00|2|00|6|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00b\x00e\x008\x00d\x007\x00b\x002\x00-\x003\x002\x009\x00c\x00-\x004\x004\x002\x00a\x00-\x00a\x004\x00a\x00c\x00-\x00a\x00b\x00a\x009\x00d\x007\x005\x007\x002\x006\x000\x002\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7865; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID access"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7429; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID access"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7490; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID access"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7496; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8822; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8783; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|7|00|4|00|C|00|A|00|7|00|0|00|F|00|-|00|2|00|2|00|3|00|6|00|-|00|4|00|B|00|A|00|8|00|-|00|A|00|2|00|9|00|7|00|-|00|4|00|B|00|2|00|A|00|2|00|8|00|C|00|2|00|3|00|6|00|3|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x004\x00C\x00A\x007\x000\x00F\x00-\x002\x002\x003\x006\x00-\x004\x00B\x00A\x008\x00-\x00A\x002\x009\x007\x00-\x004\x00B\x002\x00A\x002\x008\x00C\x002\x003\x006\x003\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7459; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID access"; flow:established,to_client; content:"F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7920; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|2|00|4|00|1|00|D|00|B|00|1|00|-|00|E|00|E|00|9|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|2|00|4|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|C|00|9|00|9|00|E|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x002\x004\x001\x00D\x00B\x001\x00-\x00E\x00E\x009\x00F\x00-\x001\x001\x00D\x000\x00-\x009\x008\x002\x004\x00-\x000\x000\x006\x000\x009\x007\x00C\x009\x009\x00E\x005\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8763; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|B|00|2|00|3|00|C|00|2|00|8|00|-|00|4|00|8|00|8|00|E|00|-|00|4|00|e|00|5|00|C|00|-|00|A|00|C|00|E|00|2|00|-|00|B|00|B|00|0|00|B|00|B|00|A|00|B|00|E|00|9|00|9|00|E|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00B\x002\x003\x00C\x002\x008\x00-\x004\x008\x008\x00E\x00-\x004\x00e\x005\x00C\x00-\x00A\x00C\x00E\x002\x00-\x00B\x00B\x000\x00B\x00B\x00A\x00B\x00E\x009\x009\x00E\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:7441; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID access"; flow:established,to_client; content:"63500AE2-0858-11D2-8CE4-00C04F8ECB10"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63500AE2-0858-11D2-8CE4-00C04F8ECB10/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8395; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"F107317A-A488-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F107317A-A488-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4173; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Script Definition ActiveX Object Access"; flow:from_server,established; content:"D675E22B-CAE9-11D2-AF7B-00C04F99179F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D675E22B-CAE9-11D2-AF7B-00C04F99179F/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4914; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|D|00|5|00|8|00|8|00|B|00|5|00|-|00|D|00|0|00|8|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|9|00|E|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|8|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x00D\x005\x008\x008\x00B\x005\x00-\x00D\x000\x008\x001\x00-\x001\x001\x00D\x000\x00-\x009\x009\x00E\x000\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x008\x00E\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8052; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID access"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6686; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|0|00|0|00|2|00|B|00|1|00|7|00|-|00|5|00|D|00|9|00|3|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|1|00|E|00|4|00|-|00|8|00|3|00|1|00|F|00|E|00|F|00|7|00|8|00|0|00|A|00|5|00|3|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x000\x000\x002\x00B\x001\x007\x00-\x005\x00D\x009\x003\x00-\x004\x005\x005\x001\x00-\x008\x001\x00E\x004\x00-\x008\x003\x001\x00F\x00E\x00F\x007\x008\x000\x00A\x005\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7483; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID access"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; metadata:policy security-ips drop; reference:cve,2006-1303; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6681; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|C|00|C|00|D|00|D|00|F|00|-|00|C|00|A|00|2|00|8|00|-|00|4|00|9|00|6|00|b|00|-|00|B|00|0|00|5|00|0|00|-|00|6|00|C|00|0|00|7|00|C|00|9|00|6|00|2|00|4|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x00C\x00C\x00D\x00D\x00F\x00-\x00C\x00A\x002\x008\x00-\x004\x009\x006\x00b\x00-\x00B\x000\x005\x000\x00-\x006\x00C\x000\x007\x00C\x009\x006\x002\x004\x007\x006\x00B\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8718; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID access"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7452; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT Icon Control ActiveX Object Access"; flow:from_server,established; content:"D24D4450-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4450-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6006; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|E|00|0|00|4|00|5|00|8|00|1|00|-|00|4|00|E|00|E|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|F|00|E|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|B|00|4|00|3|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x00E\x000\x004\x005\x008\x001\x00-\x004\x00E\x00E\x00E\x00-\x001\x001\x00D\x000\x00-\x00B\x00F\x00E\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x00B\x004\x003\x008\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8020; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8829; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID access"; flow:established,to_client; content:"FD179533-D86E-11D0-89D6-00A0C90833E6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD179533-D86E-11D0-89D6-00A0C90833E6/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8756; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|B|00|E|00|B|00|8|00|A|00|0|00|5|00|-|00|B|00|E|00|E|00|E|00|-|00|4|00|4|00|4|00|2|00|-|00|8|00|0|00|4|00|E|00|-|00|4|00|0|00|9|00|D|00|6|00|C|00|4|00|5|00|1|00|5|00|E|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00B\x00E\x00B\x008\x00A\x000\x005\x00-\x00B\x00E\x00E\x00E\x00-\x004\x004\x004\x002\x00-\x008\x000\x004\x00E\x00-\x004\x000\x009\x00D\x006\x00C\x004\x005\x001\x005\x00E\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7977; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network and Dial-Up Connections ActiveX Object Access"; flow:from_server,established; content:"992CFFA0-F557-101A-88EC-00DD010CCC48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*992CFFA0-F557-101A-88EC-00DD010CCC48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4220; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID access"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7468; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ActiveLabel ActiveX Object Access"; flow:from_server,established; content:"99B42120-6EC7-11CF-A6C7-00AA00A47DD2"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99B42120-6EC7-11CF-A6C7-00AA00A47DD2/si"; metadata:policy security-ips drop; reference:bugtraq,5558; reference:cve,2002-0647; reference:url,www.microsoft.com/technet/security/bulletin/MS02-047.mspx; classtype:attempted-user; sid:4147; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID access"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7470; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|0|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x000\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8018; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Smartcard Enrollment ActiveX Object Access"; flow:from_server,established; content:"80CB7887-20DE-11D2-8D5C-00C04FC29D45"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80CB7887-20DE-11D2-8D5C-00C04FC29D45/si"; metadata:policy security-ips drop; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4181; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8832; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|8|00|5|00|A|00|9|00|1|00|B|00|C|00|-|00|1|00|E|00|8|00|A|00|-|00|4|00|E|00|4|00|A|00|-|00|A|00|7|00|A|00|6|00|-|00|F|00|4|00|F|00|C|00|1|00|E|00|6|00|C|00|A|00|1|00|B|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x008\x005\x00A\x009\x001\x00B\x00C\x00-\x001\x00E\x008\x00A\x00-\x004\x00E\x004\x00A\x00-\x00A\x007\x00A\x006\x00-\x00F\x004\x00F\x00C\x001\x00E\x006\x00C\x00A\x001\x00B\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7927; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8748; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID access"; flow:established,to_client; content:"0006F03A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F03A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8371; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation ActiveX Object Access"; flow:from_server,established; content:"283807B8-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B8-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4202; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8816; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8804; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeInfo ActiveX Object Access"; flow:from_server,established; content:"00020422-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020422-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4895; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8814; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A762-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8047; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"FF2BBC4A-6881-4294-BE0C-17535B1FCCFA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FF2BBC4A-6881-4294-BE0C-17535B1FCCFA/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4161; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID access"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7462; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Multimedia File Property Sheet ActiveX Object Access"; flow:from_server,established; content:"00022613-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00022613-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,5094; classtype:attempted-user; sid:4159; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID access"; flow:established,to_client; content:"760C4B83-E211-11D2-BF3E-00805FBE84A6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*760C4B83-E211-11D2-BF3E-00805FBE84A6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8401; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"25B0F91C-D23D-11D0-9B85-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25B0F91C-D23D-11D0-9B85-00C04FC2F51D/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8741; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft OpenCable Class ActiveX Object Access"; flow:from_server,established; content:"ABBA001B-3075-11D6-88A4-00B0D0200F88"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ABBA001B-3075-11D6-88A4-00B0D0200F88/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4223; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSOAInterface ActiveX Object Access"; flow:from_server,established; content:"00020424-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020424-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4897; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BA018599-1DB3-44f9-83B4-461454C84BF8/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8719; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|9|00|E|00|1|00|3|00|2|00|F|00|-|00|5|00|6|00|1|00|B|00|-|00|4|00|2|00|F|00|8|00|-|00|8|00|4|00|6|00|C|00|-|00|A|00|7|00|0|00|D|00|B|00|D|00|C|00|6|00|2|00|9|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x009\x00E\x001\x003\x002\x00F\x00-\x005\x006\x001\x00B\x00-\x004\x002\x00F\x008\x00-\x008\x004\x006\x00C\x00-\x00A\x007\x000\x00D\x00B\x00D\x00C\x006\x002\x009\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7487; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8771; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8840; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|8|00|6|00|8|00|3|00|0|00|4|00|-|00|A|00|B|00|0|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|6|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x008\x006\x008\x003\x000\x004\x00-\x00A\x00B\x000\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x007\x006\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8775; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX Object Access"; flow:from_server,established; content:"41B23C28-488E-4e5C-ACE2-BB0BBABE99E8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41B23C28-488E-4e5C-ACE2-BB0BBABE99E8/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:4183; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID access"; flow:established,to_client; content:"98BFD494-F6AD-4794-9038-832C0654CC43"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98BFD494-F6AD-4794-9038-832C0654CC43/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7900; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID access"; flow:established,to_client; content:"639F725F-1B2D-4831-A9FD-874847682010"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*639F725F-1B2D-4831-A9FD-874847682010/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8365; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|6|00|6|00|D|00|6|00|6|00|F|00|A|00|-|00|9|00|6|00|1|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|4|00|2|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|A|00|E|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x006\x006\x00D\x006\x006\x00F\x00A\x00-\x009\x006\x001\x006\x00-\x001\x001\x00D\x002\x00-\x009\x003\x004\x002\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x00A\x00E\x001\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8032; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Services on the Web Free/Busy ActiveX Object Access"; flow:from_server,established; content:"F28D867A-DDB1-11D3-B8E8-00A0C981AEEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F28D867A-DDB1-11D3-B8E8-00A0C981AEEB/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4217; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|D|00|C|00|6|00|C|00|B|00|8|00|6|00|-|00|4|00|2|00|4|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00D\x00C\x006\x00C\x00B\x008\x006\x00-\x004\x002\x004\x00C\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7911; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMI ASDI Extension ActiveX Object Access"; flow:from_server,established; content:"F0975AFE-5C7F-11D2-8B74-00104B2AFB41"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F0975AFE-5C7F-11D2-8B74-00104B2AFB41/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4236; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID access"; flow:established,to_client; content:"FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD78D554-4C6E-11D0-970D-00A0C9191601/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8005; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|A|00|0|00|1|00|8|00|5|00|9|00|9|00|-|00|1|00|D|00|B|00|3|00|-|00|4|00|4|00|f|00|9|00|-|00|8|00|3|00|B|00|4|00|-|00|4|00|6|00|1|00|4|00|5|00|4|00|C|00|8|00|4|00|B|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00A\x000\x001\x008\x005\x009\x009\x00-\x001\x00D\x00B\x003\x00-\x004\x004\x00f\x009\x00-\x008\x003\x00B\x004\x00-\x004\x006\x001\x004\x005\x004\x00C\x008\x004\x00B\x00F\x008\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8720; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Alias ActiveX Object Access"; flow:from_server,established; content:"62EC9F22-5E30-11D2-97A1-00C04FB6DD9A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*62EC9F22-5E30-11D2-97A1-00C04FB6DD9A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4904; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D20-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D20-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7956; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID access"; flow:established,to_client; content:"53C74826-AB99-4D33-ACA4-3117F51D3788"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*53C74826-AB99-4D33-ACA4-3117F51D3788/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7932; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|0|00|5|00|0|00|F|00|3|00|9|00|1|00|-|00|9|00|8|00|B|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|B|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|C|00|E|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x000\x005\x000\x00F\x003\x009\x001\x00-\x009\x008\x00B\x005\x00-\x001\x001\x00C\x00F\x00-\x00B\x00B\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x00D\x00C\x00E\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8026; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID access"; flow:established,to_client; content:"85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85BBD920-42A0-1069-A2E4-08002B30309D/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8039; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Route ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6003; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|2|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x002\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8048; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Picture Shape Control ActiveX Object Access"; flow:from_server,established; content:"6CBE0382-A879-4D2A-8EC3-1F2A43611BA8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6CBE0382-A879-4D2A-8EC3-1F2A43611BA8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4213; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID access"; flow:established,to_client; content:"85A4A99C-8C3D-499E-A386-E0743DFF8FB7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85A4A99C-8C3D-499E-A386-E0743DFF8FB7/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8735; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|D|00|2|00|8|00|D|00|0|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00D\x002\x008\x00D\x000\x00-\x008\x00B\x00F\x004\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8008; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID access"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7466; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access"; flow:established,to_client; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F5B7F63-F06F-4331-8A26-339E03C0AE3D/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8369; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|D|00|0|00|8|00|B|00|5|00|8|00|6|00|-|00|3|00|4|00|3|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|4|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|F|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00D\x000\x008\x00B\x005\x008\x006\x00-\x003\x004\x003\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x004\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00F\x00D\x00F\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8028; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Helper Object for Java ActiveX Object Access"; flow:from_server,established; content:"8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4235; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|C|00|0|00|D|00|6|00|9|00|A|00|8|00|-|00|0|00|9|00|2|00|3|00|-|00|4|00|E|00|E|00|E|00|-|00|9|00|3|00|7|00|5|00|-|00|9|00|2|00|3|00|9|00|F|00|5|00|A|00|3|00|8|00|B|00|9|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00C\x000\x00D\x006\x009\x00A\x008\x00-\x000\x009\x002\x003\x00-\x004\x00E\x00E\x00E\x00-\x009\x003\x007\x005\x00-\x009\x002\x003\x009\x00F\x005\x00A\x003\x008\x00B\x009\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7426; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID access"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7454; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|8|00|6|00|F|00|B|00|4|00|8|00|6|00|-|00|5|00|5|00|6|00|0|00|-|00|4|00|F|00|F|00|3|00|-|00|9|00|6|00|D|00|F|00|-|00|1|00|1|00|1|00|8|00|C|00|9|00|6|00|A|00|F|00|4|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x008\x006\x00F\x00B\x004\x008\x006\x00-\x005\x005\x006\x000\x00-\x004\x00F\x00F\x003\x00-\x009\x006\x00D\x00F\x00-\x001\x001\x001\x008\x00C\x009\x006\x00A\x00F\x004\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7501; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|3|00|C|00|7|00|4|00|8|00|2|00|6|00|-|00|A|00|B|00|9|00|9|00|-|00|4|00|D|00|3|00|3|00|-|00|A|00|C|00|A|00|4|00|-|00|3|00|1|00|1|00|7|00|F|00|5|00|1|00|D|00|3|00|7|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x003\x00C\x007\x004\x008\x002\x006\x00-\x00A\x00B\x009\x009\x00-\x004\x00D\x003\x003\x00-\x00A\x00C\x00A\x004\x00-\x003\x001\x001\x007\x00F\x005\x001\x00D\x003\x007\x008\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7933; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID access"; flow:established,to_client; content:"67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DCC487-AA48-11D1-8F4F-00C04FB611C7/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8001; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7875; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSAPP Export Support for Microsoft Access ActiveX Object Access"; flow:from_server,established; content:"98CB4060-D3E7-42A1-8D65-949D34EBFE14"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98CB4060-D3E7-42A1-8D65-949D34EBFE14/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4229; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID access"; flow:established,to_client; content:"844F4806-E8A8-11D2-9652-00C04FC30871"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*844F4806-E8A8-11D2-9652-00C04FC30871/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7987; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|D|00|A|00|2|00|A|00|A|00|3|00|E|00|-|00|3|00|D|00|9|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|2|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00D\x00A\x002\x00A\x00A\x003\x00E\x00-\x003\x00D\x009\x006\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x002\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7445; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|5|00|0|00|0|00|A|00|E|00|2|00|-|00|0|00|8|00|5|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|C|00|E|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|8|00|E|00|C|00|B|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x005\x000\x000\x00A\x00E\x002\x00-\x000\x008\x005\x008\x00-\x001\x001\x00D\x002\x00-\x008\x00C\x00E\x004\x00-\x000\x000\x00C\x000\x004\x00F\x008\x00E\x00C\x00B\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8396; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID access"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7442; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Setup BBS 4.71.0.10 ActiveX Object Access"; flow:from_server,established; content:"8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8F0F5093-0A70-11D0-BCA9-00C04FD85AA6/si"; metadata:policy security-ips drop; reference:bugtraq,668; reference:cve,1999-1484; classtype:attempted-user; sid:4157; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Stream ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|6|00|6|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x006\x006\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:8062; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID access"; flow:established,to_client; content:"0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0D43FE01-F093-11CF-8940-00A0C9054228/si"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8069; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|1|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x001\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7992; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|6|00|F|00|F|00|C|00|2|00|4|00|C|00|-|00|7|00|E|00|1|00|3|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|4|00|7|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x006\x00F\x00F\x00C\x002\x004\x00C\x00-\x007\x00E\x001\x003\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x004\x007\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7951; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|B|00|4|00|3|00|9|00|E|00|-|00|F|00|C|00|F|00|4|00|-|00|4|00|0|00|D|00|4|00|-|00|9|00|0|00|D|00|A|00|-|00|F|00|7|00|9|00|B|00|A|00|A|00|3|00|B|00|0|00|6|00|5|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00A\x00B\x004\x003\x009\x00E\x00-\x00F\x00C\x00F\x004\x00-\x004\x000\x00D\x004\x00-\x009\x000\x00D\x00A\x00-\x00F\x007\x009\x00B\x00A\x00A\x003\x00B\x000\x006\x005\x005\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8000; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Reporting Tool ActiveX Object Access"; flow:from_server,established; content:"167701E3-FDCF-11D0-A48E-006097C549FF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*167701E3-FDCF-11D0-A48E-006097C549FF/si"; metadata:policy security-ips drop; reference:bugtraq,8454; reference:cve,2003-0530; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; classtype:attempted-user; sid:4160; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8807; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStEsObject Class ActiveX Object Access"; flow:from_server,established; content:"4CFB5280-800B-4367-848F-5A13EBF27F1D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CFB5280-800B-4367-848F-5A13EBF27F1D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4208; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|1|00|C|00|6|00|6|00|9|00|C|00|7|00|-|00|E|00|D|00|D|00|D|00|-|00|4|00|2|00|7|00|7|00|-|00|B|00|F|00|5|00|E|00|-|00|6|00|4|00|8|00|0|00|7|00|C|00|B|00|8|00|D|00|C|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x001\x00C\x006\x006\x009\x00C\x007\x00-\x00E\x00D\x00D\x00D\x00-\x004\x002\x007\x007\x00-\x00B\x00F\x005\x00E\x00-\x006\x004\x008\x000\x007\x00C\x00B\x008\x00D\x00C\x00E\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8394; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Active Setup ActiveX Object Access"; flow:from_server,established; content:"F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1/si"; metadata:policy security-ips drop; reference:bugtraq,667; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4169; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|F|00|9|00|9|00|C|00|6|00|B|00|-|00|A|00|3|00|A|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|F|00|6|00|4|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|6|00|1|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x00F\x009\x009\x00C\x006\x00B\x00-\x00A\x003\x00A\x006\x00-\x001\x001\x00D\x004\x00-\x00A\x00F\x006\x004\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x006\x001\x007\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7893; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID access"; flow:established,to_client; content:"06290BD5-48AA-11D2-8432-006008C3FBFC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06290BD5-48AA-11D2-8432-006008C3FBFC/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8064; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8825; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RDS.Dataspace ActiveX Object Access"; flow:from_server,established; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD96C556-65A3-11D0-983A-00C04FC29E36/si"; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:6009; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|D|00|4|00|3|00|F|00|E|00|0|00|1|00|-|00|F|00|0|00|9|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|4|00|2|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8070; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Circular Auto Layout Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406342-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406342-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6004; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|8|00|A|00|B|00|E|00|1|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|4|00|1|00|C|00|1|00|-|00|A|00|B|00|A|00|3|00|-|00|0|00|5|00|1|00|B|00|6|00|F|00|1|00|1|00|2|00|B|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x008\x00A\x00B\x00E\x001\x002\x003\x00-\x00F\x00A\x00C\x004\x00-\x004\x001\x00C\x001\x00-\x00A\x00B\x00A\x003\x00-\x000\x005\x001\x00B\x006\x00F\x001\x001\x002\x00B\x008\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7885; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|E|00|E|00|D|00|4|00|C|00|2|00|0|00|-|00|7|00|F|00|1|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00E\x00E\x00D\x004\x00C\x002\x000\x00-\x007\x00F\x001\x00B\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8012; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MTSEvents Class ActiveX Object Access"; flow:from_server,established; content:"ECABB0AB-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0AB-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4892; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID access"; flow:established,to_client; content:"C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8021; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections Tray ActiveX Object Access"; flow:from_server,established; content:"7007ACCF-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACCF-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4219; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID access"; flow:established,to_client; content:"BB339A46-7C49-11d2-9BF3-00C04FA34789"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB339A46-7C49-11d2-9BF3-00C04FA34789/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8753; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID access"; flow:established,to_client; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AB9BCEDD-EC7E-47E1-9322-D4A210617116/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8363; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|1|00|B|00|0|00|9|00|0|00|6|00|6|00|-|00|C|00|9|00|5|00|C|00|-|00|4|00|E|00|F|00|6|00|-|00|8|00|D|00|F|00|D|00|-|00|3|00|D|00|D|00|0|00|A|00|F|00|E|00|6|00|1|00|0|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x001\x00B\x000\x009\x000\x006\x006\x00-\x00C\x009\x005\x00C\x00-\x004\x00E\x00F\x006\x00-\x008\x00D\x00F\x00D\x00-\x003\x00D\x00D\x000\x00A\x00F\x00E\x006\x001\x000\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7899; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"F27CE930-4CA3-11D1-AFF2-006097C9A284"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F27CE930-4CA3-11D1-AFF2-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4199; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8777; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID access"; flow:established,to_client; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8375; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID access"; flow:established,to_client; content:"9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9478F640-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8037; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call"; flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID access"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7425; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Msb1geen.dll ActiveX Object Access"; flow:from_server,established; content:"208DD6A3-E12B-4755-9607-2E39EF84CFC5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*208DD6A3-E12B-4755-9607-2E39EF84CFC5/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4210; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HHOpen ActiveX Object Access"; flow:from_server,established; content:"130D7743-5F5A-11D1-B676-00A0C9697233"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*130D7743-5F5A-11D1-B676-00A0C9697233/si"; metadata:policy security-ips drop; reference:bugtraq,669; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4192; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID access"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7433; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Relationship Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710D-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710D-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4910; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|3|00|3|00|4|00|4|00|D|00|8|00|-|00|7|00|0|00|D|00|3|00|-|00|4|00|0|00|3|00|2|00|-|00|9|00|B|00|3|00|2|00|-|00|7|00|A|00|3|00|C|00|A|00|D|00|5|00|0|00|9|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x003\x003\x004\x004\x00D\x008\x00-\x007\x000\x00D\x003\x00-\x004\x000\x003\x002\x00-\x009\x00B\x003\x002\x00-\x007\x00A\x003\x00C\x00A\x00D\x005\x000\x009\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6685; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|5|00|3|00|E|00|1|00|9|00|A|00|-|00|4|00|E|00|5|00|4|00|-|00|4|00|1|00|9|00|0|00|-|00|8|00|D|00|E|00|B|00|-|00|2|00|E|00|1|00|C|00|C|00|9|00|4|00|7|00|C|00|D|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x005\x003\x00E\x001\x009\x00A\x00-\x004\x00E\x005\x004\x00-\x004\x001\x009\x000\x00-\x008\x00D\x00E\x00B\x00-\x002\x00E\x001\x00C\x00C\x009\x004\x007\x00C\x00D\x006\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7919; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID access"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7456; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8747; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8823; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|B|00|B|00|D|00|9|00|2|00|0|00|-|00|4|00|2|00|A|00|0|00|-|00|1|00|0|00|6|00|9|00|-|00|A|00|2|00|E|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|B|00|3|00|0|00|3|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00B\x00B\x00D\x009\x002\x000\x00-\x004\x002\x00A\x000\x00-\x001\x000\x006\x009\x00-\x00A\x002\x00E\x004\x00-\x000\x008\x000\x000\x002\x00B\x003\x000\x003\x000\x009\x00D\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8040; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft VideoPort ActiveX Object Access"; flow:from_server,established; content:"CE292861-FC88-11D0-9E69-00C04FD7C15B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CE292861-FC88-11D0-9E69-00C04FD7C15B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4224; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Eyedog ActiveX Object Access"; flow:from_server,established; content:"06A7EC63-4E21-11D0-A112-00A0C90543AA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06A7EC63-4E21-11D0-A112-00A0C90543AA/si"; metadata:policy security-ips drop; reference:bugtraq,619; reference:cve,1999-0669; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:4153; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|3|00|1|00|E|00|8|00|7|00|C|00|4|00|-|00|8|00|6|00|E|00|A|00|-|00|4|00|9|00|4|00|0|00|-|00|9|00|B|00|8|00|A|00|-|00|5|00|B|00|D|00|5|00|D|00|1|00|7|00|9|00|A|00|7|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x003\x001\x00E\x008\x007\x00C\x004\x00-\x008\x006\x00E\x00A\x00-\x004\x009\x004\x000\x00-\x009\x00B\x008\x00A\x00-\x005\x00B\x00D\x005\x00D\x001\x007\x009\x00A\x007\x003\x007\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7923; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID access"; flow:established,to_client; content:"4F241DB1-EE9F-11D0-9824-006097C99E51"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F241DB1-EE9F-11D0-9824-006097C99E51/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8762; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|D|00|2|00|D|00|8|00|E|00|0|00|-|00|D|00|1|00|D|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|4|00|0|00|F|00|-|00|0|00|0|00|8|00|0|00|2|00|9|00|0|00|0|00|4|00|3|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x00D\x002\x00D\x008\x00E\x000\x00-\x00D\x001\x00D\x00D\x00-\x001\x001\x00C\x00E\x00-\x009\x004\x000\x00F\x00-\x000\x000\x008\x000\x002\x009\x000\x000\x004\x003\x004\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8726; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID access"; flow:established,to_client; content:"B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0516FF0-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8035; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|9|00|5|00|0|00|4|00|B|00|8|00|-|00|5|00|0|00|D|00|1|00|-|00|4|00|A|00|A|00|8|00|-|00|B|00|4|00|D|00|6|00|-|00|9|00|5|00|C|00|8|00|F|00|5|00|8|00|A|00|6|00|4|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x009\x005\x000\x004\x00B\x008\x00-\x005\x000\x00D\x001\x00-\x004\x00A\x00A\x008\x00-\x00B\x004\x00D\x006\x00-\x009\x005\x00C\x008\x00F\x005\x008\x00A\x006\x004\x001\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7984; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|3|00|0|00|F|00|D|00|0|00|2|00|C|00|-|00|B|00|B|00|E|00|7|00|-|00|4|00|E|00|B|00|9|00|-|00|9|00|1|00|C|00|F|00|-|00|F|00|C|00|4|00|5|00|C|00|C|00|9|00|1|00|E|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x003\x000\x00F\x00D\x000\x002\x00C\x00-\x00B\x00B\x00E\x007\x00-\x004\x00E\x00B\x009\x00-\x009\x001\x00C\x00F\x00-\x00F\x00C\x004\x005\x00C\x00C\x009\x001\x00E\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7493; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|3|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x003\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8046; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|D|00|2|00|B|00|8|00|4|00|1|00|-|00|7|00|6|00|9|00|2|00|-|00|4|00|C|00|8|00|3|00|-|00|A|00|F|00|D|00|3|00|-|00|F|00|6|00|0|00|E|00|8|00|4|00|5|00|3|00|4|00|1|00|A|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00D\x002\x00B\x008\x004\x001\x00-\x007\x006\x009\x002\x00-\x004\x00C\x008\x003\x00-\x00A\x00F\x00D\x003\x00-\x00F\x006\x000\x00E\x008\x004\x005\x003\x004\x001\x00A\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7499; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections ActiveX Object Access"; flow:from_server,established; content:"7007ACC7-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACC7-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4227; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|E|00|F|00|B|00|E|00|C|00|2|00|-|00|4|00|3|00|0|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x00E\x00F\x00B\x00E\x00C\x002\x00-\x004\x003\x000\x002\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6518; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|B|00|4|00|B|00|0|00|5|00|E|00|B|00|-|00|1|00|F|00|6|00|3|00|-|00|4|00|4|00|6|00|B|00|-|00|A|00|A|00|D|00|1|00|-|00|E|00|1|00|0|00|A|00|3|00|4|00|D|00|6|00|5|00|0|00|E|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00B\x004\x00B\x000\x005\x00E\x00B\x00-\x001\x00F\x006\x003\x00-\x004\x004\x006\x00B\x00-\x00A\x00A\x00D\x001\x00-\x00E\x001\x000\x00A\x003\x004\x00D\x006\x005\x000\x00E\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7447; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID access"; flow:established,to_client; content:"742D385A-D5BF-427D-9AF2-88258FB73EAF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*742D385A-D5BF-427D-9AF2-88258FB73EAF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8399; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8786; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940285-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940285-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4186; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|9|00|E|00|A|00|8|00|5|00|2|00|7|00|-|00|6|00|A|00|6|00|A|00|-|00|4|00|0|00|F|00|E|00|-|00|A|00|6|00|7|00|C|00|-|00|8|00|2|00|C|00|F|00|7|00|6|00|3|00|9|00|0|00|2|00|D|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x009\x00E\x00A\x008\x005\x002\x007\x00-\x006\x00A\x006\x00A\x00-\x004\x000\x00F\x00E\x00-\x00A\x006\x007\x00C\x00-\x008\x002\x00C\x00F\x007\x006\x003\x009\x000\x002\x00D\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8408; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX function call"; flow:established,to_client; content:"DirectAnimation.DATuple"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7436; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID access"; flow:established,to_client; content:"B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7995; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Method Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710B-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710B-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4908; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|3|00|5|00|D|00|C|00|2|00|2|00|-|00|1|00|C|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|B|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|5|00|8|00|A|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x003\x005\x00D\x00C\x002\x002\x00-\x001\x00C\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x00B\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x005\x008\x00A\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8067; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|4|00|6|00|F|00|0|00|A|00|0|00|-|00|D|00|3|00|6|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|8|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|2|00|3|00|1|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x004\x006\x00F\x000\x00A\x000\x00-\x00D\x003\x006\x007\x00-\x001\x001\x00D\x001\x00-\x008\x002\x008\x006\x00-\x000\x000\x00A\x000\x00C\x009\x002\x003\x001\x00C\x002\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7994; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID access"; flow:established,to_client; content:"B0A6BAE2-AAF0-11D0-A152-00A0C908DB96"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0A6BAE2-AAF0-11D0-A152-00A0C908DB96/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8759; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|0|00|D|00|0|00|7|00|6|00|C|00|5|00|-|00|E|00|4|00|C|00|6|00|-|00|4|00|5|00|6|00|1|00|-|00|8|00|B|00|F|00|4|00|-|00|8|00|0|00|D|00|A|00|8|00|D|00|B|00|8|00|1|00|9|00|D|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x000\x00D\x000\x007\x006\x00C\x005\x00-\x00E\x004\x00C\x006\x00-\x004\x005\x006\x001\x00-\x008\x00B\x00F\x004\x00-\x008\x000\x00D\x00A\x008\x00D\x00B\x008\x001\x009\x00D\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7428; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID access"; flow:established,to_client; content:"52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8003; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|6|00|7|00|3|00|D|00|C|00|F|00|2|00|-|00|C|00|3|00|1|00|6|00|-|00|4|00|C|00|6|00|F|00|-|00|A|00|A|00|9|00|6|00|-|00|4|00|E|00|4|00|D|00|C|00|6|00|D|00|C|00|2|00|9|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x006\x007\x003\x00D\x00C\x00F\x002\x00-\x00C\x003\x001\x006\x00-\x004\x00C\x006\x00F\x00-\x00A\x00A\x009\x006\x00-\x004\x00E\x004\x00D\x00C\x006\x00D\x00C\x002\x009\x001\x00E\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7915; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|8|00|4|00|9|00|5|00|9|00|6|00|A|00|-|00|4|00|8|00|E|00|A|00|-|00|4|00|8|00|6|00|E|00|-|00|8|00|9|00|3|00|7|00|-|00|A|00|2|00|A|00|3|00|0|00|0|00|9|00|F|00|3|00|1|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x008\x004\x009\x005\x009\x006\x00A\x00-\x004\x008\x00E\x00A\x00-\x004\x008\x006\x00E\x00-\x008\x009\x003\x007\x00-\x00A\x002\x00A\x003\x000\x000\x009\x00F\x003\x001\x00A\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7971; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|A|00|6|00|E|00|B|00|0|00|5|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00A\x006\x00E\x00B\x000\x005\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8014; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID access"; flow:established,to_client; content:"C1145550-A454-11D4-9020-00D0B7239081"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C1145550-A454-11D4-9020-00D0B7239081/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7888; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID access"; flow:established,to_client; content:"D9F99C6B-A3A6-11D4-AF64-444553546170"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D9F99C6B-A3A6-11D4-AF64-444553546170/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7892; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID access"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7498; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID access"; flow:established,to_client; content:"50B4791F-4731-11D0-8912-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50B4791F-4731-11D0-8912-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8744; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID access"; flow:established,to_client; content:"B005E690-678D-11D1-B758-00A0C90564FE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B005E690-678D-11D1-B758-00A0C90564FE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8411; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR Allocator Presenter 9 ActiveX Object Access"; flow:from_server,established; content:"2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4901; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|C|00|B|00|0|00|8|00|C|00|E|00|-|00|A|00|B|00|3|00|D|00|-|00|4|00|7|00|7|00|9|00|-|00|9|00|C|00|7|00|7|00|-|00|6|00|2|00|A|00|4|00|3|00|9|00|B|00|F|00|E|00|6|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00C\x00B\x000\x008\x00C\x00E\x00-\x00A\x00B\x003\x00D\x00-\x004\x007\x007\x009\x00-\x009\x00C\x007\x007\x00-\x006\x002\x00A\x004\x003\x009\x00B\x00F\x00E\x006\x00C\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7897; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|1|00|5|00|4|00|9|00|E|00|5|00|8|00|-|00|3|00|8|00|9|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|B|00|7|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|9|00|9|00|C|00|4|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x001\x005\x004\x009\x00E\x005\x008\x00-\x003\x008\x009\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00B\x007\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x009\x009\x00C\x004\x00C\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8751; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|A|00|0|00|4|00|D|00|9|00|3|00|B|00|-|00|1|00|E|00|D|00|D|00|-|00|4|00|F|00|3|00|F|00|-|00|A|00|3|00|7|00|5|00|-|00|A|00|0|00|3|00|E|00|C|00|1|00|9|00|5|00|7|00|2|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00A\x000\x004\x00D\x009\x003\x00B\x00-\x001\x00E\x00D\x00D\x00-\x004\x00F\x003\x00F\x00-\x00A\x003\x007\x005\x00-\x00A\x000\x003\x00E\x00C\x001\x009\x005\x007\x002\x00C\x004\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7947; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeComp ActiveX Object Access"; flow:from_server,established; content:"00020425-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020425-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4898; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MPEG-4 Video Decompressor Property Page ActiveX Object Access"; flow:from_server,established; content:"598EBA02-B49A-11D2-A1C1-00609778EA66"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*598EBA02-B49A-11D2-A1C1-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4206; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID access"; flow:established,to_client; content:"69AD90EF-1C20-11D1-8801-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69AD90EF-1C20-11D1-8801-00C04FC29D46/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7952; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX IAVIStream & IAVIFile Proxy ActiveX Object Access"; flow:from_server,established; content:"0002000D-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002000D-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4890; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Queued Components Recorder ActiveX Object Access"; flow:from_server,established; content:"ECABAFC2-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC2-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4201; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8820; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX htmlfile ActiveX Object Access"; flow:from_server,established; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy security-ips drop; reference:bugtraq,1718; reference:cve,2001-0149; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4155; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|2|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x002\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8044; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID access"; flow:established,to_client; content:"9F8E6421-3D9B-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F8E6421-3D9B-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7936; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8837; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID access"; flow:established,to_client; content:"6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D36CE10-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8023; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8780; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|5|00|3|00|3|00|5|00|9|00|C|00|1|00|-|00|3|00|9|00|E|00|1|00|-|00|4|00|9|00|1|00|b|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|6|00|4|00|F|00|D|00|8|00|A|00|B|00|0|00|7|00|1|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x005\x003\x003\x005\x009\x00C\x001\x00-\x003\x009\x00E\x001\x00-\x004\x009\x001\x00b\x00-\x009\x009\x005\x001\x00-\x004\x006\x004\x00F\x00D\x008\x00A\x00B\x000\x007\x001\x00C\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6683; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID access"; flow:established,to_client; content:"00000535-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000535-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7868; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|7|00|1|00|B|00|4|00|0|00|6|00|3|00|-|00|3|00|E|00|5|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x007\x001\x00B\x004\x000\x006\x003\x00-\x003\x00E\x005\x009\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7925; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8799; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID access"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7474; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8769; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID access"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7458; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|8|00|E|00|6|00|4|00|2|00|1|00|-|00|3|00|D|00|9|00|B|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x008\x00E\x006\x004\x002\x001\x00-\x003\x00D\x009\x00B\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7937; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|8|00|5|00|3|00|C|00|D|00|9|00|-|00|7|00|F|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|2|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|5|00|A|00|B|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x008\x005\x003\x00C\x00D\x009\x00-\x007\x00F\x008\x006\x00-\x001\x001\x00D\x000\x00-\x008\x002\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x005\x00A\x00B\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7917; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|E|00|E|00|4|00|3|00|D|00|6|00|-|00|B|00|F|00|E|00|5|00|-|00|4|00|4|00|B|00|0|00|-|00|8|00|0|00|6|00|3|00|-|00|A|00|C|00|3|00|B|00|2|00|9|00|6|00|6|00|A|00|B|00|2|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x00E\x00E\x004\x003\x00D\x006\x00-\x00B\x00F\x00E\x005\x00-\x004\x004\x00B\x000\x00-\x008\x000\x006\x003\x00-\x00A\x00C\x003\x00B\x002\x009\x006\x006\x00A\x00B\x002\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7497; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|E|00|A|00|1|00|0|00|0|00|3|00|1|00|-|00|0|00|0|00|3|00|3|00|-|00|4|00|5|00|0|00|E|00|-|00|8|00|0|00|7|00|2|00|-|00|E|00|2|00|7|00|D|00|9|00|E|00|7|00|6|00|8|00|1|00|4|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00E\x00A\x001\x000\x000\x003\x001\x00-\x000\x000\x003\x003\x00-\x004\x005\x000\x00E\x00-\x008\x000\x007\x002\x00-\x00E\x002\x007\x00D\x009\x00E\x007\x006\x008\x001\x004\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7463; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID access"; flow:established,to_client; content:"0002E552-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E552-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7874; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|3|00|F|00|9|00|9|00|8|00|B|00|2|00|-|00|0|00|E|00|0|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|A|00|4|00|9|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|E|00|B|00|5|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x003\x00F\x009\x009\x008\x00B\x002\x00-\x000\x00E\x000\x000\x00-\x001\x001\x00D\x003\x00-\x00A\x004\x009\x008\x00-\x000\x000\x001\x000\x004\x00B\x006\x00E\x00B\x005\x002\x00E\x00/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7879; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|D|00|2|00|0|00|D|00|4|00|B|00|B|00|-|00|B|00|4|00|7|00|E|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|3|00|B|00|D|00|-|00|E|00|3|00|C|00|2|00|E|00|E|00|2|00|5|00|0|00|D|00|2|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00D\x002\x000\x00D\x004\x00B\x00B\x00-\x00B\x004\x007\x00E\x00-\x004\x00F\x00B\x007\x00-\x008\x003\x00B\x00D\x00-\x00E\x003\x00C\x002\x00E\x00E\x002\x005\x000\x00D\x002\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7475; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Third-Party Plugin ActiveX Object Access"; flow:from_server,established; content:"06DD38D3-D187-11CF-A80D-00C04FD74AD8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06DD38D3-D187-11CF-A80D-00C04FD74AD8/si"; metadata:policy security-ips drop; reference:cve,2003-0233; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-user; sid:4189; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID access"; flow:established,to_client; content:"860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860BB310-5D01-11D0-BD3B-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8041; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D30-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D30-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7954; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8772; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Outllib.dll ActiveX Object Access"; flow:from_server,established; content:"0006F02A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F02A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4222; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID access"; flow:established,to_client; content:"FEF10FA2-355E-4E06-9381-9B24D7F7CC88"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FEF10FA2-355E-4E06-9381-9B24D7F7CC88/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7930; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor Source Properties ActiveX Object Access"; flow:from_server,established; content:"0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CF32AA1-7571-11D0-93C4-00AA00A3DDEA/si"; metadata:policy security-ips drop; reference:bugtraq,7384; classtype:attempted-user; sid:4151; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RAV Online Scanner ActiveX Object Access"; flow:from_server,established; content:"D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249/si"; metadata:policy security-ips drop; reference:bugtraq,11448; reference:cve,2004-0936; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4188; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|2|00|4|00|1|00|F|00|0|00|1|00|5|00|-|00|8|00|4|00|D|00|3|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|7|00|E|00|6|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|3|00|F|00|F|00|7|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x002\x004\x001\x00F\x000\x001\x005\x00-\x008\x004\x00D\x003\x00-\x001\x001\x00d\x002\x00-\x009\x007\x00E\x006\x00-\x000\x000\x000\x000\x00F\x008\x000\x003\x00F\x00F\x007\x00A\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7913; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID access"; flow:established,to_client; content:"8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8EE42293-C315-11D0-8D6F-00A0C9A06E1F/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7997; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID access"; flow:established,to_client; content:"ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0BF-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8033; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access"; flow:established,to_client; content:"8B21775E-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12269; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID access"; flow:established,to_client; content:"623E2882-FC0E-11D1-9A77-0000F8756A10"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*623E2882-FC0E-11D1-9A77-0000F8756A10/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7940; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8CCCDDF-CA28-496b-B050-6C07C962476B/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8717; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID access"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7437; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID access"; flow:established,to_client; content:"D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2923B86-15F1-46FF-A19A-DE825F919576/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7989; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID access"; flow:established,to_client; content:"61C669C7-EDDD-4277-BF5E-64807CB8DCEF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*61C669C7-EDDD-4277-BF5E-64807CB8DCEF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8393; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|1|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x001\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8835; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Type Library ActiveX Object Access"; flow:from_server,established; content:"6E22710E-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710E-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4911; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|E|00|F|00|E|00|2|00|4|00|5|00|2|00|-|00|1|00|6|00|8|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|C|00|7|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|9|00|4|00|5|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00E\x00F\x00E\x002\x004\x005\x002\x00-\x001\x006\x008\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x00C\x007\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x009\x004\x005\x003\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8030; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|0|00|0|00|7|00|2|00|5|00|B|00|-|00|C|00|4|00|5|00|5|00|-|00|4|00|D|00|E|00|6|00|-|00|B|00|F|00|B|00|6|00|-|00|A|00|D|00|5|00|4|00|0|00|A|00|D|00|4|00|2|00|7|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x000\x000\x007\x002\x005\x00B\x00-\x00C\x004\x005\x005\x00-\x004\x00D\x00E\x006\x00-\x00B\x00F\x00B\x006\x00-\x00A\x00D\x005\x004\x000\x00A\x00D\x004\x002\x007\x00C\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7881; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|D|00|A|00|8|00|9|00|A|00|-|00|0|00|9|00|6|00|6|00|-|00|4|00|B|00|9|00|1|00|-|00|9|00|C|00|1|00|8|00|-|00|A|00|B|00|6|00|9|00|F|00|0|00|9|00|8|00|1|00|8|00|7|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00E\x00D\x00A\x008\x009\x00A\x00-\x000\x009\x006\x006\x00-\x004\x00B\x009\x001\x00-\x009\x00C\x001\x008\x00-\x00A\x00B\x006\x009\x00F\x000\x009\x008\x001\x008\x007\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7467; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Collection Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710A-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710A-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4907; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8841; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shortcut Handler ActiveX Object Access"; flow:from_server,established; content:"00021401-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00021401-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4915; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|1|00|0|00|2|00|9|00|E|00|5|00|B|00|-|00|C|00|B|00|5|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|5|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|1|00|A|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x001\x000\x002\x009\x00E\x005\x00B\x00-\x00C\x00B\x005\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x005\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x009\x001\x00A\x00C\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7975; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID access"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7444; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|2|00|C|00|A|00|3|00|B|00|C|00|F|00|-|00|3|00|B|00|9|00|B|00|-|00|4|00|1|00|9|00|E|00|-|00|A|00|3|00|D|00|6|00|-|00|5|00|D|00|2|00|8|00|C|00|0|00|B|00|0|00|B|00|5|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x002\x00C\x00A\x003\x00B\x00C\x00F\x00-\x003\x00B\x009\x00B\x00-\x004\x001\x009\x00E\x00-\x00A\x003\x00D\x006\x00-\x005\x00D\x002\x008\x00C\x000\x00B\x000\x00B\x005\x000\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8004; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|D|00|C|00|8|00|D|00|D|00|9|00|-|00|2|00|C|00|C|00|1|00|-|00|4|00|0|00|8|00|1|00|-|00|9|00|B|00|2|00|B|00|-|00|2|00|0|00|D|00|7|00|0|00|3|00|0|00|2|00|3|00|4|00|E|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00D\x00C\x008\x00D\x00D\x009\x00-\x002\x00C\x00C\x001\x00-\x004\x000\x008\x001\x00-\x009\x00B\x002\x00B\x00-\x002\x000\x00D\x007\x000\x003\x000\x002\x003\x004\x00E\x00F\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6680; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8811; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID access"; flow:established,to_client; content:"385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7926; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4164; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID access"; flow:established,to_client; content:"A8ABE123-FAC4-41C1-ABA3-051B6F112B83"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8ABE123-FAC4-41C1-ABA3-051B6F112B83/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7884; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID access"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7472; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|7|00|2|00|3|00|E|00|0|00|9|00|-|00|F|00|4|00|C|00|2|00|-|00|4|00|3|00|c|00|8|00|-|00|8|00|3|00|5|00|8|00|-|00|0|00|9|00|F|00|C|00|D|00|1|00|D|00|B|00|0|00|7|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x007\x002\x003\x00E\x000\x009\x00-\x00F\x004\x00C\x002\x00-\x004\x003\x00c\x008\x00-\x008\x003\x005\x008\x00-\x000\x009\x00F\x00C\x00D\x001\x00D\x00B\x000\x007\x006\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8374; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A760-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8017; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|5|00|B|00|0|00|F|00|9|00|1|00|C|00|-|00|D|00|2|00|3|00|D|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|8|00|5|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x005\x00B\x000\x00F\x009\x001\x00C\x00-\x00D\x002\x003\x00D\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x008\x005\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8742; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeLib ActiveX Object Access"; flow:from_server,established; content:"00020423-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020423-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4896; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|6|00|0|00|4|00|E|00|F|00|E|00|-|00|8|00|8|00|9|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|4|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|1|00|2|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x006\x000\x004\x00E\x00F\x00E\x00-\x008\x008\x009\x007\x00-\x001\x001\x00D\x001\x00-\x00B\x009\x004\x004\x00-\x000\x000\x00A\x000\x00C\x009\x000\x003\x001\x002\x00E\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7949; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|D|00|4|00|C|00|9|00|F|00|E|00|F|00|-|00|E|00|D|00|8|00|0|00|-|00|4|00|7|00|E|00|A|00|-|00|A|00|3|00|F|00|A|00|-|00|3|00|2|00|1|00|5|00|F|00|D|00|B|00|B|00|3|00|3|00|A|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00D\x004\x00C\x009\x00F\x00E\x00F\x00-\x00E\x00D\x008\x000\x00-\x004\x007\x00E\x00A\x00-\x00A\x003\x00F\x00A\x00-\x003\x002\x001\x005\x00F\x00D\x00B\x00B\x003\x003\x00A\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7477; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID access"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7486; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|1|00|7|00|9|00|5|00|3|00|3|00|-|00|D|00|8|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x001\x007\x009\x005\x003\x003\x00-\x00D\x008\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8757; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Popup Window ActiveX Object Access"; flow:from_server,established; content:"3050F667-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F667-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4215; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID access"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7890; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|A|00|6|00|B|00|A|00|E|00|2|00|-|00|A|00|A|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|1|00|5|00|2|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|D|00|B|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x00A\x006\x00B\x00A\x00E\x002\x00-\x00A\x00A\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x001\x005\x002\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x00D\x00B\x009\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8760; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D0C07D56-7C69-43F1-B4A0-25F5A11FAB19/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8367; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|5|00|B|00|C|00|B|00|E|00|E|00|4|00|-|00|7|00|7|00|2|00|8|00|-|00|4|00|1|00|A|00|0|00|-|00|9|00|7|00|B|00|E|00|-|00|1|00|4|00|E|00|1|00|C|00|A|00|E|00|3|00|6|00|A|00|A|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x005\x00B\x00C\x00B\x00E\x00E\x004\x00-\x007\x007\x002\x008\x00-\x004\x001\x00A\x000\x00-\x009\x007\x00B\x00E\x00-\x001\x004\x00E\x001\x00C\x00A\x00E\x003\x006\x00A\x00A\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8398; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID access"; flow:established,to_client; content:"AF868304-AB0B-11D0-876A-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF868304-AB0B-11D0-876A-00C04FC29D46/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8774; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|9|00|2|00|3|00|B|00|8|00|6|00|-|00|1|00|5|00|F|00|1|00|-|00|4|00|6|00|F|00|F|00|-|00|A|00|1|00|9|00|A|00|-|00|D|00|E|00|8|00|2|00|5|00|F|00|9|00|1|00|9|00|5|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x009\x002\x003\x00B\x008\x006\x00-\x001\x005\x00F\x001\x00-\x004\x006\x00F\x00F\x00-\x00A\x001\x009\x00A\x00-\x00D\x00E\x008\x002\x005\x00F\x009\x001\x009\x005\x007\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7990; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Library Shape Control ActiveX Object Access"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4211; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|8|00|B|00|F|00|D|00|4|00|9|00|4|00|-|00|F|00|6|00|A|00|D|00|-|00|4|00|7|00|9|00|4|00|-|00|9|00|0|00|3|00|8|00|-|00|8|00|3|00|2|00|C|00|0|00|6|00|5|00|4|00|C|00|C|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x008\x00B\x00F\x00D\x004\x009\x004\x00-\x00F\x006\x00A\x00D\x00-\x004\x007\x009\x004\x00-\x009\x000\x003\x008\x00-\x008\x003\x002\x00C\x000\x006\x005\x004\x00C\x00C\x004\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7901; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Share Point Portal Services Log Sink ActiveX Object Access"; flow:from_server,established; content:"DE4735F3-7532-4895-93DC-9A10C4257173"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DE4735F3-7532-4895-93DC-9A10C4257173/si"; metadata:policy security-ips drop; reference:bugtraq,12646; reference:bugtraq,14515; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB837253; classtype:attempted-user; sid:4146; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID access"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7431; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Straight Line Routing Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406343-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406343-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6005; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID access"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7488; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|9|00|F|00|7|00|2|00|5|00|F|00|-|00|1|00|B|00|2|00|D|00|-|00|4|00|8|00|3|00|1|00|-|00|A|00|9|00|F|00|D|00|-|00|8|00|7|00|4|00|8|00|4|00|7|00|6|00|8|00|2|00|0|00|1|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x009\x00F\x007\x002\x005\x00F\x00-\x001\x00B\x002\x00D\x00-\x004\x008\x003\x001\x00-\x00A\x009\x00F\x00D\x00-\x008\x007\x004\x008\x004\x007\x006\x008\x002\x000\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8366; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID access"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7500; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CComAcctImport ActiveX Object Access"; flow:from_server,established; content:"1AA06BA1-0E88-11D1-8391-00C04FBD7C09"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1AA06BA1-0E88-11D1-8391-00C04FBD7C09/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4216; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|4|00|C|00|6|00|5|00|C|00|7|00|-|00|F|00|D|00|F|00|1|00|-|00|4|00|5|00|3|00|D|00|-|00|8|00|9|00|A|00|5|00|-|00|B|00|C|00|C|00|2|00|8|00|F|00|5|00|D|00|6|00|9|00|F|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x004\x00C\x006\x005\x00C\x007\x00-\x00F\x00D\x00F\x001\x00-\x004\x005\x003\x00D\x00-\x008\x009\x00A\x005\x00-\x00B\x00C\x00C\x002\x008\x00F\x005\x00D\x006\x009\x00F\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7495; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Search Assistant UI ActiveX Object Access"; flow:from_server,established; content:"47C6C527-6204-4F91-849D-66E234DEE015"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47C6C527-6204-4F91-849D-66E234DEE015/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4230; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID access"; flow:established,to_client; content:"0006F033-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F033-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8721; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID access"; flow:established,to_client; content:"01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01E04581-4EEE-11D0-BFE9-00AA005B4383/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8019; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID access"; flow:established,to_client; content:"466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*466D66FA-9616-11D2-9342-0000F875AE17/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8031; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID access"; flow:established,to_client; content:"3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F391-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8025; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|7|00|8|00|D|00|5|00|5|00|4|00|-|00|4|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|7|00|0|00|D|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|9|00|1|00|6|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x007\x008\x00D\x005\x005\x004\x00-\x004\x00C\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x009\x007\x000\x00D\x00-\x000\x000\x00A\x000\x00C\x009\x001\x009\x001\x006\x000\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8006; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR ImageSync 9 ActiveX Object Access"; flow:from_server,established; content:"E4979309-7A32-495E-8A92-7B014AAD4961"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E4979309-7A32-495E-8A92-7B014AAD4961/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4903; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|C|00|B|00|1|00|6|00|2|00|3|00|E|00|-|00|B|00|B|00|E|00|C|00|-|00|4|00|E|00|8|00|D|00|-|00|B|00|2|00|D|00|F|00|-|00|D|00|C|00|0|00|8|00|C|00|6|00|F|00|4|00|6|00|2|00|7|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00C\x00B\x001\x006\x002\x003\x00E\x00-\x00B\x00B\x00E\x00C\x00-\x004\x00E\x008\x00D\x00-\x00B\x002\x00D\x00F\x00-\x00D\x00C\x000\x008\x00C\x006\x00F\x004\x006\x002\x007\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7461; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8805; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|8|00|F|00|2|00|0|00|9|00|F|00|8|00|-|00|4|00|8|00|0|00|E|00|-|00|4|00|5|00|4|00|C|00|-|00|9|00|4|00|A|00|4|00|-|00|5|00|3|00|9|00|2|00|D|00|8|00|8|00|E|00|B|00|A|00|0|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x008\x00F\x002\x000\x009\x00F\x008\x00-\x004\x008\x000\x00E\x00-\x004\x005\x004\x00C\x00-\x009\x004\x00A\x004\x00-\x005\x003\x009\x002\x00D\x008\x008\x00E\x00B\x00A\x000\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7465; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID access"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7460; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|2|00|C|00|3|00|F|00|A|00|A|00|E|00|-|00|C|00|8|00|A|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|C|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|D|00|5|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x002\x00C\x003\x00F\x00A\x00A\x00E\x00-\x00C\x008\x00A\x00C\x00-\x001\x001\x00D\x000\x00-\x00B\x00C\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00D\x005\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7921; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Workspace ActiveX Object Access"; flow:from_server,established; content:"B1D4ED44-EE64-11D0-97E6-00C04FC30B4A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1D4ED44-EE64-11D0-97E6-00C04FC30B4A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4913; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Symantec RuFSI registry Information Class ActiveX Object Access"; flow:from_server,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; metadata:policy security-ips drop; reference:bugtraq,8008; reference:cve,2003-0470; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4174; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Thumbnail Image ActiveX Object Access"; flow:from_server,established; content:"E1A6B8A0-3603-101C-AC6E-040224009C02"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E1A6B8A0-3603-101C-AC6E-040224009C02/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4190; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID access"; flow:established,to_client; content:"5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5D08B586-343A-11D0-AD46-00C04FD8FDFF/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8027; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX clsid access"; flow:established,to_client; content:"5b7524c8-2446-40e9-9474-94a779dba224"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14764; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8784; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000/2002 Web Components PivotTable ActiveX Object Access"; flow:from_server,established; content:"0002E520-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E520-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4175; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID access"; flow:established,to_client; content:"D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2D588B5-D081-11D0-99E0-00C04FC2F8EC/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8051; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8795; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Chat v4.5, 4.6 ActiveX Object Access"; flow:from_server,established; content:"9088E688-063A-4806-A3DB-6522712FC061"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9088E688-063A-4806-A3DB-6522712FC061/si"; metadata:policy security-ips drop; reference:bugtraq,4707; reference:cve,2002-0155; reference:url,www.microsoft.com/technet/security/bulletin/MS02-022.mspx; classtype:attempted-user; sid:4182; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSEnumVariant ActiveX Object Access"; flow:from_server,established; content:"00020421-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020421-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4894; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID access"; flow:established,to_client; content:"9F62797E-1249-4596-9FF7-AC6D851A542A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F62797E-1249-4596-9FF7-AC6D851A542A/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7886; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID access"; flow:established,to_client; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F935DC22-1CF0-11D0-ADB9-00C04FD58A0B/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8066; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Layout ActiveX Object Access"; flow:from_server,established; content:"4CECCEB1-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB1-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6007; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8831; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Object ActiveX Object Access"; flow:from_server,established; content:"6E2270FB-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E2270FB-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4905; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|4|00|4|00|B|00|B|00|2|00|D|00|0|00|-|00|F|00|0|00|7|00|0|00|-|00|4|00|6|00|3|00|E|00|-|00|9|00|4|00|3|00|3|00|-|00|B|00|0|00|C|00|C|00|F|00|3|00|C|00|F|00|D|00|6|00|2|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x004\x004\x00B\x00B\x002\x00D\x000\x00-\x00F\x000\x007\x000\x00-\x004\x006\x003\x00E\x00-\x009\x004\x003\x003\x00-\x00B\x000\x00C\x00C\x00F\x003\x00C\x00F\x00D\x006\x002\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7451; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|8|00|3|00|8|00|0|00|7|00|B|00|5|00|-|00|2|00|C|00|6|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|1|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x008\x003\x008\x000\x007\x00B\x005\x00-\x002\x00C\x006\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x001\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8766; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID access"; flow:established,to_client; content:"FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FBEB8A05-BEEE-4442-804E-409D6C4515E9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7976; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID access"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7482; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8813; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Database Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"03CB9467-FD9D-42A8-82F9-8615B4223E6E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03CB9467-FD9D-42A8-82F9-8615B4223E6E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4205; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"72770C4F-967D-4517-982B-92D6B9015649"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72770C4F-967D-4517-982B-92D6B9015649/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4162; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|A|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x00A\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8372; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|6|00|0|00|C|00|4|00|B|00|8|00|3|00|-|00|E|00|2|00|1|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|F|00|3|00|E|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|B|00|E|00|8|00|4|00|A|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x006\x000\x00C\x004\x00B\x008\x003\x00-\x00E\x002\x001\x001\x00-\x001\x001\x00D\x002\x00-\x00B\x00F\x003\x00E\x00-\x000\x000\x008\x000\x005\x00F\x00B\x00E\x008\x004\x00A\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8402; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID access"; flow:established,to_client; content:"E0CB08CE-AB3D-4779-9C77-62A439BFE6C3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0CB08CE-AB3D-4779-9C77-62A439BFE6C3/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7896; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8792; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"05E6787D-82D9-4D24-91DD-97FE8D199501"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05E6787D-82D9-4D24-91DD-97FE8D199501/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4197; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Scan Control ActiveX Object Access"; flow:from_server,established; content:"84926CA0-2941-101C-816F-0E6013114B7F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*84926CA0-2941-101C-816F-0E6013114B7F/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4180; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access"; flow:established,to_client; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-032.mspx; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; classtype:attempted-user; sid:15672; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"String.fromCharCode|28|"; fast_pattern; nocase; pcre:"/new\s*ActiveXObject\(\s*String.fromCharCode\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16574; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/new\s*ActiveXObject\(\s*unescape\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16573; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:established,to_client; isdataat:1024; content:"ctrl.InstallBrowserHelperDll"; nocase; content:"General_ServerName"; nocase; content:!">"; within:1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 2 ActiveX clsid access"; flow:established,to_client; content:"F849164D-9863-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MyInfo.dll ActiveX clsid access"; flow:established,to_client; content:"4682C82A-B2FF-11D0-95A8-00A0C92B77A9"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17592; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 1 ActiveX clsid access"; flow:established,to_client; content:"606EF130-9852-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated instantiation of ActiveX object - likely malicious"; flow:established,to_client; content:"new ActiveXObject|28|"; nocase; content:"unescape|28|"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ciodm.dll ActiveX clsid access"; flow:established,to_client; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft msdxm.ocx ActiveX clsid access"; flow:established,to_client; content:"8E71888A-423F-11D2-876E-00A0C9082467"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX ProgID access"; flow:established,to_client; content:"ComponentManager.Installer"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18491; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX clsid access"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18490; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; content:"cdda|3A 2F 2F|"; nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX clsid access"; flow:established,to_client; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19085; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX function call"; flow:established,to_client; content:"LEADRasterTwain.LEADRasterTwain"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19086; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,www.microsoft.com/technet/security/bulletin/MS05-002.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS07-017.mspx; classtype:attempted-user; sid:3079; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; metadata:policy security-ips drop; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB828750; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q293338; reference:url,www.microsoft.com/technet/security/bulletin/MS02-055.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS05-001.mspx; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT iTunes playlist URL overflow attempt"; flow:from_server,established; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; metadata:policy security-ips drop; reference:bugtraq,12238; reference:cve,2005-0043; classtype:attempted-user; sid:3471; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer SMIL file overflow attempt"; flow:to_client,established; content:"<smil>"; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256; content:!"|22|"; within:256; metadata:policy security-ips drop, service http; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:12;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3536; rev:10;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE javaprxy.dll COM access"; flow:from_server,established; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; metadata:policy security-ips drop; reference:bugtraq,14087; reference:cve,2005-2087; reference:url,www.microsoft.com/technet/security/bulletin/ms05-037.mspx; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17680; classtype:attempted-user; sid:3814; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT msdds clsid attempt"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:bugtraq,14594; reference:cve,2005-1990; reference:cve,2005-2127; reference:url,www.frsirt.com/english/advisories/2005/1450; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4132; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT devenum clsid attempt"; flow:from_server,established; content:"083863F1-70DE-11d0-BD40-00A0C911CE86"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083863F1-70DE-11d0-BD40-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4133; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT blnmgr clsid attempt"; flow:from_server,established; content:"3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4134; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file with comment buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4644; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4643; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Metasploit Windows picture and fax viewer wmf arbitrary code execution attempt"; flow:from_server,established; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy security-ips drop; reference:bugtraq,16074; reference:cve,2005-4560; reference:url,www.microsoft.com/technet/security/bulletin/ms06-001.mspx; classtype:web-application-attack; sid:5319; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player Plugin for Non-IE browsers buffer overflow attempt"; flow:from_server,established; content:"<EMBED"; nocase; content:"src"; distance:0; nocase; pcre:"/<EMBED[^>]+?src\s*=\s*(\x22[^\x22]{1024}|\x27[^\x27]{1024}|[^\s]{1024})/i"; metadata:policy security-ips drop, service http; reference:bugtraq,16644; reference:cve,2006-0005; reference:url,www.microsoft.com/technet/security/bulletin/ms06-006.mspx; classtype:attempted-user; sid:5710; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player zero length bitmap heap overflow attempt"; flow:established,to_client; content:"BM|00 00 00 00|"; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD20060214.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5711; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Metafile invalid header size integer overflow"; flow:from_server,established; content:"|D7 CD C6 9A|"; byte_test:2,<,8,25,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,www.microsoft.com/technet/security/bulletin/ms06-004.mspx; classtype:attempted-admin; sid:5713; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB CLIENT Windows Media Player invalid data offset bitmap heap overflow attempt"; flow:established,to_client; file_data; content:"BM"; within:2; byte_test:4,<,14,8,little,relative; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD2006021.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5712; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.hhp.download; content:"["; content:"]"; distance:0; content:"file"; distance:0; nocase; content:"="; distance:0; pcre:"/\x5B(OPTIONS|WINDOWS|MERGE FILES|MAP|ALIAS|TEXT\x20POPUPS|INFOTYPES|SUBSETS)\x5D.*?(Contents|Index|Compiled|Sample List|Full text search stop list)\x20file\s*\x3D[^\r\n]{200}/smi"; metadata:policy security-ips drop; reference:cve,2006-0564; reference:cve,2009-0133; reference:url,users.pandora.be/bratax/advisories/b008.html; reference:url,www.frsirt.com/english/advisories/2006/0446; classtype:attempted-user; sid:5741; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0"; flow:from_server,established; content:"image/"; pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi"; content:"GIF"; distance:0; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6502; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt"; flow:to_client,established; content:"URL"; nocase; content:"mhtml|3A|//"; distance:0; nocase; pcre:"/^\s*URL\s*=\s*mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\r\n]{1253}/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6510; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime udta atom overflow attempt"; flow:to_client,established; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy security-ips drop; reference:bugtraq,17953; reference:cve,2006-1460; classtype:attempted-user; sid:6506; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6503; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy security-ips drop; reference:bugtraq,17074; reference:cve,2006-1249; classtype:attempted-user; sid:6505; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt"; flow:to_client,established; content:"mhtml|3A|//"; nocase; pcre:"/href\s*=\s*(\x22mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x22]{1253}|\x27mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x27]{1253}|mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x09\r\n\x20]{1253})/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6509; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT windows explorer invalid url file overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; within:100; nocase; content:"url="; distance:0; nocase; content:"file|3A|file|3A|file|3A|"; distance:0; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,18838; reference:cve,2006-3351; classtype:denial-of-service; sid:7022; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; byte_test:2,>,8224,0,relative,little; content:"|15 00 12 00|"; within:4; distance:2; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7048; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object ftCmo overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; content:"|15 00 12 00|"; within:4; distance:2; byte_test:2,>,0x1E,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7204; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla javascript navigator object access"; flow:to_client,established; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,19181; reference:cve,2006-3677; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-45.html; classtype:attempted-user; sid:8058; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt"; flow:established,to_client; content:"<imfl>"; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy security-ips drop; reference:bugtraq,14945; reference:cve,2005-2710; classtype:attempted-user; sid:8091; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML fill method overflow attempt"; flow:from_server,established; content:"|3A|fill"; nocase; content:"method"; distance:0; nocase; pcre:"/<\w+\x3afill\s[^>]*method\s*=\s*(\x27[^\x27]{32}|\x22[^\x22]{32}|[^\s>]{32})/smi"; metadata:policy security-ips drop; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,www.microsoft.com/technet/security/bulletin/ms06-055.mspx; classtype:attempted-user; sid:8416; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel colinfo XF record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"}|00 0C 00 00 00|"; content:!"|00|"; within:1; distance:1; metadata:policy security-ips drop; reference:cve,2006-3875; reference:url,www.microsoft.com/technet/security/bulletin/ms06-059.mspx; classtype:attempted-user; sid:8448; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; content:"|90 08 00|3|B1 E5 CF 11 89 F4 00 A0 C9 03|I|CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9641; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; content:"@R|D1 86 1D|1|D0 11 A3 A4 00 A0 C9 03|H|F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9642; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; content:"|01 CD 87 F4|Q|A9 CF 11 8E E6 00 C0 0C| Se"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9643; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime RTSP URI overflow attempt"; flow:from_server,established; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*([\x27|\x22]rtsp\x3A[^\x22\x27\s]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy security-ips drop; reference:bugtraq,21829; reference:cve,2007-0015; reference:url,applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html; classtype:attempted-user; sid:9823; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime HREF Track Detected"; flow:established,to_client; flowbits:isset,http.quicktime; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T</sm"; metadata:policy security-ips drop, service http; reference:cve,2007-0059; reference:url,projects.info-pull.com/moab/MOAB-03-01-2007.html; reference:url,www.apple.com/quicktime/tutorials/hreftracks.html; classtype:misc-activity; sid:9840; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Firefox query interface suspicious function call access attempt"; flow:established,to_client; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-04.html; classtype:attempted-user; sid:10063; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Photoshop PNG file handling stack buffer overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy security-ips drop; reference:bugtraq,23698; reference:cve,2007-2365; classtype:attempted-user; sid:11267; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow"; flow:to_client,established; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel malformed FBI record"; flow:from_server,established; flowbits:isset,http.xls; content:"`|10|"; byte_test:2,>,32767,6,relative; metadata:policy security-ips drop, service http; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,www.microsoft.com/technet/security/bulletin/ms07-023.mspx; classtype:attempted-user; sid:12256; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt"; flow:to_client,established; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; flowbits:isset,http.xlw; reference:cve,2007-3890; reference:url,www.microsoft.com/technet/security/Bulletin/ms07-044.mspx; classtype:attempted-user; sid:12284; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PCRE character class double free overflow attempt"; flow:to_client,established; content:"RegExp("; nocase; content:"[["; distance:0; content:"]]"; within:6; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25002; reference:cve,2007-3944; reference:url,docs.info.apple.com/article.html?artnum=306174; classtype:attempted-user; sid:12286; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer lyrics heap overflow attempt"; flow:established,to_client; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; reference:bugtraq,26214; reference:cve,2007-5080; classtype:attempted-user; sid:12707; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks SMIL wallclock stack overflow attempt"; flow:established,to_client; content:"<smi"; nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12743; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12744; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:established,to_client; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13159; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:established,to_client; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13160; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:established,to_client; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13158; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|des"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13319; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|ART"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13316; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cpy"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13320; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|nam"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13317; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 3, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image width overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 5, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13301; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Quicktime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset, quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SYmbolic LinK file download"; flow:to_client,established; flowbits:isset,csv.download; content:"ID|3B|P"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2008-0112; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-014.mspx; classtype:misc-activity; sid:13585; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|"; within:6; distance:900; content:"?|13 1F 00 00 00|"; within:6; distance:640; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|8C 15|"; within:2; distance:40; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"|19 13|"; within:2; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|"; within:6; distance:45; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"?|13 19 00 00 00|"; within:6; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime Obji Atom parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"obji"; nocase; byte_test:4,<,20,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:13920; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start JNLP attribute buffer overflow attempt"; flow:established,to_client; content:"<j2se"; nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader and Acrobat util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript/JS"; nocase; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start xml encoding buffer overflow attempt"; flow:established,to_client; content:"<?xml"; nocase; content:"encoding"; distance:0; nocase; pcre:"/^<\x3Fxml[^>]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,28083; reference:cve,2008-1188; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1; classtype:attempted-admin; sid:15081; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST"; flow:to_client,established; flowbits:isset,xspf_file.request; file_data; content:"|3C|identifier|3E|"; pcre:"/\x3cidentifier\x3E[^\x3c]*\x2d\d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ACD Systems ACDSee XPM file format overflow attempt"; flow:to_client,established; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy security-ips drop, service http; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:15236; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Portable Executable binary file transfer"; flow:to_client,established; content:"MZ|90 00|"; byte_jump:4,56,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,exe.download; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:15306; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt"; flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/si"; byte_test:1,&,0x40,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15357; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; metadata:policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt"; flow:established,to_client; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime pict image poly structure memory corruption attempt"; flow:established,to_client; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OLE32 microsoft MSHTA masquerade attempt"; flow:to_client,established; flowbits:isnotset,http.hta; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; metadata:policy security-ips drop; reference:bugtraq,13132; reference:cve,2005-0063; reference:url,www.microsoft.com/technet/security/bulletin/ms05-016.mspx; classtype:attempted-user; sid:3552; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:established,to_client; content:"|01 00 00 00|"; content:" EMF"; within:4; distance:36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|"; within:12; distance:-8; content:"F|00 00 00|"; distance:0; content:"|08|@|00 06|"; within:4; distance:12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nullsoft Winamp pls file player name handling buffer overflow attempt"; flow:to_client,established; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy security-ips drop, service http; reference:bugtraq,16410; reference:cve,2006-0476; classtype:attempted-user; sid:15472; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT asp file upload"; flow:to_server,established; content:".asp"; nocase; flowbits:set,asp.upload; flowbits:noalert; classtype:protocol-command-decode; sid:15471; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime Movie File Clipping Region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"crgn"; byte_jump:2,-6,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"jP  "; content:"|FF|O|FF|Q"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF|R"; within:2; byte_test:1,>,16,7,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1859; classtype:attempted-user; sid:15562; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT F-Secure AntiVirus library heap overflow attempt"; flow:to_client,established; flowbits:isset,arj_file.request; content:"|0A|`|EA|"; pcre:"/\x0a\x0d?\x0a\x60\xea(.{36}[^\x00]{256}|.+\x60\xea.{32}[^\x00]{256})/s"; metadata:policy security-ips drop, service http; reference:bugtraq,12515; reference:cve,2005-0350; classtype:attempted-user; sid:15583; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"obj<<"; content:"/BaseFont"; distance:0; content:"endobj"; distance:0; pcre:"/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\x80-\xff\x2f]*[\x80-\xff].*?endobj/s"; metadata:policy security-ips drop, service http; reference:bugtraq,32100; reference:cve,2008-4813; reference:url,vallejo.cc/proyectos/adobereader812.html; classtype:attempted-user; sid:15867; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libxml2 XML file processing long entity name buffer overflow attempt"; flow:to_client,established; content:"<!ENTITY"; isdataat:200,relative; pcre:"/\x3c\x21ENTITY\s*[^\s\x3e]{200}/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31126; reference:cve,2008-3529; classtype:attempted-user; sid:15866; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,4xm.request; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sophos Anti-Virus zip file handling DoS attempt"; flow:to_client,established; content:"PK|03 04|"; content:"|0C 00|"; within:2; distance:4; content:"-|00 00 00 F9 00 00 00 05 00 FF FF|"; within:12; distance:8; metadata:policy security-ips drop, service http; reference:bugtraq,14270; reference:cve,2005-1530; classtype:attempted-dos; sid:15957; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy security-ips drop, service http; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer nested object tag memory corruption attempt"; flow:to_client,established; content:"<STYLE></STYLE>|0A|<OBJECT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17658; reference:cve,2006-1992; classtype:attempted-user; sid:16031; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GNU tar PAX extended headers handling overflow attempt"; flow:to_client,established; content:"GNU.sparse.numblocks="; nocase; pcre:"/GNU\x2esparse\x2enumblocks\s*\x3d\s*(0|[6-9]\d{4})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:16053; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:16050; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox CSS Letter-Spacing overflow attempt"; flow:to_client,established; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-1730; classtype:attempted-user; sid:16044; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; content:"<object classid='clsid|3A|10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'"; nocase; content:"SQLDMO.SQLServer"; nocase; pcre:"/progid\s*\x3d\s*[\x22\x27]SQLDMO\x2eSQLServer[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:16208; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields"; flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16295; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields"; flow:to_client,established; content:"|0D 0A 0D 0A|MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,&,0x0004,26,relative,little; byte_jump:2,32,relative,little; pcre:"/^.{2}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16296; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|"; within:4; distance:-24; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; classtype:attempted-user; sid:16311; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; content:"OggS"; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36465; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v3 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,http.oless.v3; flowbits:noalert; classtype:misc-activity; sid:16474; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v4 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,http.oless.v4; flowbits:noalert; classtype:misc-activity; sid:16475; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; content:"wOFF|00 01 00 00|"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"7|3A|comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"8|3A|announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt"; flow:to_client,established; content:"application/x-java-applet"; nocase; content:"-XXaltjvm"; fast_pattern:only; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16585; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; content:"<ASX VERSION=|22|3|22|>"; nocase; content:"<Entry>"; distance:0; nocase; content:"<ref href=|22|file|3A|//"; distance:0; nocase; pcre:"/^\S{501}/R"; metadata:policy security-ips drop, service http; reference:bugtraq,21206; reference:cve,2006-6063; classtype:attempted-user; sid:16582; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; fast_pattern:only; nocase; content:"-XXaltjvm"; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Amaya web editor XML and HTML Parser Buffer overflow attempt"; flow:to_client,established; content:"<bdo"; nocase; pcre:"/^.*?dir\s*=\s*(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\s\>]{500})/isR"; metadata:service http; reference:bugtraq,33047; reference:cve,2009-0323; classtype:attempted-user; sid:16601; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40725; reference:cve,2010-1885; reference:url,osvdb.org/show/osvdb/65264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-042.mspx; classtype:attempted-user; sid:16665; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Astonsoft Deepburner dbr file name buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|DeepBurner_record"; nocase; content:"|3C|data_cd"; distance:0; nocase; content:"|3C|file"; distance:0; nocase; pcre:"/^\s*[^\x3E]*path\s*=\s*(\x22[^\x22]{272}|\x27[^\x27]{272}|[^\s\x3E]{272})/iR"; metadata:policy security-ips drop, service http; reference:bugtraq,21657; reference:cve,2006-6665; reference:url,osvdb.org/show/osvdb/32356; classtype:attempted-user; sid:16696; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration"; flow:to_client, established; content:"FlateDecode"; content:"DecodeParms"; pcre:"/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16677; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start Splashscreen PNG processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; within:16; pcre:"/^([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/Rs"; metadata:policy security-ips drop; reference:bugtraq,34240; reference:cve,2009-1097; classtype:attempted-user; sid:16716; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]"; within:9; content:"INDEX 1="; distance:0; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF"; within:4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; content:"OrbitalFileV1.0|0D 0A|"; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; within:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|"; distance:0; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CUE file handling stack buffer overflow attempt"; flow:to_client,established; file_data; content:"FILE |22|"; within:6; isdataat:512,relative; content:!"|22|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24140; reference:cve,2007-2888; classtype:attempted-user; sid:16734; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|"; within:12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version"; within:41; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; within:12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset, http.m3u.download; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,xspf_file.request; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt"; flow:to_client,established; flowbits:isset,http.m3u.download; file_data; content:"http|3A 2F 2F|"; within:7; pcre:"/^[^\s]{256}/R"; metadata:service http; reference:cve,2009-2650; reference:url,osvdb.org/show/osvdb/55924; classtype:attempted-user; sid:16739; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT DX Studio Player plug-in command injection attempt"; flow:to_client,established; content:"<dxstudio"; fast_pattern:only; nocase; content:"<?xml"; content:"shell.execute"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35273; reference:cve,2009-2011; classtype:attempted-user; sid:16744; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft LNK shortcut download attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2568; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms10-046.mspx; classtype:attempted-user; sid:17042; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml"; nocase; content:"|3C|outline"; distance:0; nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,http.mp4; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,http.mp3; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,http.avi; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT  QuickTime JPEG Huffman Table integer underflow attempt"; flow:to_client,established; flowbits:isset,http.jpeg; content:"|FF C4 02 11 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:service http; reference:bugtraq,12905; reference:cve,2005-0903; classtype:attempted-user; sid:10126; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt"; flow:established, from_server; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,13645; reference:cve,2005-1532; reference:url,secunia.com/advisories/15528/; classtype:attempted-user; sid:17212; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:"<li"; nocase; pcre:"/^[^\x3E]+?value\s*\x3D\s*\d{10}/iR"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1988; classtype:attempted-user; sid:17218; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:established, to_client; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:cve,2005-2706; reference:url,secunia.com/advisories/16911/; classtype:attempted-user; sid:17213; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Sheet1"; content:"|8C 00 04 00 56 00 56 00 C1 01 08 00 C1 01 00 00 80 38 01 00|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - little-endian"; flow:to_client,established; file_data; content:"II|2A 00|"; within:4; flowbits:set,http.tiff.little; flowbits:noalert; classtype:misc-activity; sid:17229; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_client,established; flowbits:isset,http.tiff.big; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:service http; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-105.mspx; classtype:attempted-user; sid:17232; rev:5;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - big-endian"; flow:to_client,established; file_data; content:"MM|00 2A|"; within:4; flowbits:set,http.tiff.big; flowbits:noalert; classtype:misc-activity; sid:17230; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_client,established; flowbits:isset,http.tiff.little; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:17231; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt"; flow:established, to_client; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/<html[^>]*?height[^>]*?>/smi"; pcre:"/<body[^>]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy security-ips drop, service http; reference:cve,2009-3070; reference:url,secunia.com/advisories/36671/; classtype:attempted-user; sid:17236; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox image dragging exploit attempt"; flow:to_client,established; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*\x2ebat/i"; metadata:policy security-ips drop, service http; reference:cve,2005-0230; classtype:attempted-user; sid:17245; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy security-ips drop, service http; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint malformed data record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|F2 03|"; content:"|AA AA AA 2F 00 C8 0F 0C 00 00 00 30 00 D2 0F 04 00|"; within:17; distance:1; metadata:policy security-ips drop, service http; reference:bugtraq,20322; reference:cve,2006-3876; classtype:attempted-user; sid:17292; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox plugin access control bypass attempt"; flow:to_client,established; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy security-ips drop, service http; reference:bugtraq,12655; reference:cve,2005-0527; classtype:attempted-user; sid:17265; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|"; distance:0; content:"delete|20|tree"; distance:0; content:"delete|20|selection"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office malformed routing slip code execution attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Routing|3A 20|"; content:"|B9 00 9B 05 56 04 3F 05 00 00 41 41 41 41|"; distance:0; metadata:policy security-ips drop, service http; reference:bugtraq,17000; reference:cve,2006-0009; classtype:attempted-user; sid:17284; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Web View script injection attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|1E 00 00 00|"; fast_pattern; content:"javascript"; distance:0; nocase; pcre:"/\x1e\x00\x00\x00.{4}[^\x00]*?\x40[^\x00]*?javascript/i"; metadata:policy security-ips drop, service http; reference:bugtraq,13248; reference:cve,2005-1191; classtype:attempted-user; sid:17271; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint PPT file parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|A4 37 7A 00 81 00 00 00 00 00 82 00 00 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,18993; reference:cve,2006-3656; classtype:attempted-user; sid:17285; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE malformed iframe buffer overflow attempt"; flow:to_client,established; content:"<IFRAME "; nocase; content:"file|3A|//"; distance:0; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)file\x3a\x2f\x2f[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop, service http; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:17308; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; within:12; distance:23; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,23380; reference:cve,2007-1910; classtype:attempted-user; sid:17301; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OLE Document file download"; flow:from_server,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; flowbits:set,http.ole; flowbits:noalert; classtype:misc-activity; sid:17314; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer clone object memory corruption attempt"; flow:established, to_client; content:"document|2E|createElement"; nocase; content:"|2E|cloneNode()"; distance:0; fast_pattern; nocase; content:"|2E|cloneNode()"; distance:0; nocase; reference:bugtraq,26816; reference:cve,2007-3903; classtype:attempted-user; sid:17303; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|F9 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17320; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice OLE File Stream Buffer Overflow"; flow:from_server,established; flowbits:isset,http.ole; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; nocase; content:"|22 10 00 80|"; within:4; distance:96; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:17315; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Works file converter file section header index table stack overflow attempt"; flow:to_client,established; flowbits:isset,works.download; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,27658; reference:cve,2008-0105; classtype:attempted-user; sid:17304; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|F8 0F 04 00 00 00|"; byte_test:4,>,2,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17318; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows GRE WMF Handling Memory Read Exception attempt"; flow:established,to_client; flowbits:isset,wmf.download; file_data; content:"|00 09 00 00 03|"; content:"|04 00 00 00|"; distance:0; pcre:"/^(\x01|\x02)\x00\x09\x00{2}\x03/m"; pcre:"/\x04\x00{3}(\x26|\xff)/Rm"; metadata:policy security-ips drop, service http; reference:bugtraq,16167; reference:cve,2006-0143; classtype:attempted-user; sid:17330; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Folder GUID Code Execution attempt"; flow:to_client,established; content:".|7B|3050F4D8-98B5-11CF-BB82-00AA00BDCE0B|7D|"; fast_pattern:only; nocase; pcre:"/\x252e\x252e\x255c[^\s\x2e]*?\x2e\x7B3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\x7d/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,19389; reference:cve,2006-3281; classtype:attempted-user; sid:17316; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|FA 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17319; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,http.quicktime; content:"udta"; content:"|A9|nam|FF|"; distance:0; byte_test:2,>,251,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt"; flow:to_client,established; content:"HLP"; nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22135; reference:cve,2007-0427; classtype:attempted-user; sid:17366; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt"; flow:to_client,established; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length)[\x22\x27][^\x2c]*[\xA0-\xFF]/smi"; reference:bugtraq,28379; reference:cve,2008-1544; classtype:attempted-user; sid:17384; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped"; flow:established,to_client; flowbits:isset,js.rename.unescape; content:"|25|53|25|52|25|43|25|3d|25|5c|25|5c|25|26|25|23"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,www.microsoft.com/technet/security/bulletin/ms08-078.mspx; classtype:attempted-user; sid:17401; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft OLE automation string manipulation overflow attempt"; flow:to_client,established; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25282; reference:cve,2007-2224; classtype:attempted-user; sid:17421; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow"; flow:established,to_client; flowbits:isset,http.png; content:"IHDR"; byte_test:4,>,32767,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4064; classtype:attempted-user; sid:17378; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel IMDATA buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21856; reference:cve,2007-0027; classtype:attempted-user; sid:17362; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice EMF file EMR record parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,http.emf; content:"|00 00 00 54|"; byte_test:4,>,2147483647,43,relative,little; reference:cve,2008-2238; reference:url,www.openoffice.org/security/cves/CVE-2008-2238.html; classtype:attempted-user; sid:17388; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; content:"gXYZ"; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; metadata:policy security-ips drop, service http; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17348; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox XBM image processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.xbm; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy security-ips drop, service http; reference:bugtraq,14916; reference:cve,2005-2701; classtype:attempted-user; sid:17360; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt"; flow:to_client,established; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length).*?String.fromCharCode\x28/smi"; byte_test:3,>,160,0,relative,string; reference:bugtraq,28379; reference:cve,2008-1544; classtype:attempted-user; sid:17385; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; content:"rXYZ"; byte_test:4,>,60,4,relative; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; metadata:policy security-ips drop, service http; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17347; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Help Workshop CNT Help contents buffer overflow attempt"; flow:to_client, established; flowbits:isset,MS_Help_content_file; content:"Content-Type: text/plain"; fast_pattern:only; file_data; pcre:"/[^\n]{513}/Rsi"; metadata:policy security-ips drop; reference:bugtraq,22100; reference:cve,2007-0352; classtype:web-application-attack; sid:17365; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word document stream handling code execution attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25567; reference:cve,2007-0870; classtype:attempted-user; sid:17368; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation"; flow:established,to_client; content:"var "; nocase; content:"unescape"; within:100; distance:5; nocase; pcre:"/var\s+[A-Z][A-Z\d\x5F]{5,}\s*=\s*unescape[\s\x3b]/smi"; flowbits:set,js.rename.unescape; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:17400; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DirectX Targa image file heap overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0A 00 00 00 00 00 00 00 00 00 00 80 00 80 20 20|"; within:18; metadata:policy security-ips drop, service http; reference:bugtraq,24963; reference:cve,2006-4183; classtype:attempted-user; sid:17408; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Winamp ID3v2 Tag Handling Buffer Overflow attempt"; flow:from_server,established; file_data; content:"ID3"; within:3; pcre:"/T(PE(1|2)|IT2)/iR"; byte_test:4,>,0x190,0,relative,big; metadata:policy security-ips drop, service http; reference:bugtraq,14276; reference:cve,2005-2310; classtype:attempted-user; sid:17351; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow"; flow:established,to_client; flowbits:isset,http.png; content:"IHDR"; byte_test:8,>,32767,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4064; classtype:attempted-user; sid:17379; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Mozilla Products IDN Spoofing Vulnerability Attempt"; flow:to_server,established; content:"xn--"; fast_pattern; nocase; pcre:"/^Host\x3A\x20(www\x2e)?xn\x2d\x2d/mi"; metadata:policy security-ips drop, service http; reference:bugtraq,12470; reference:cve,2005-0233; classtype:attempted-user; sid:17409; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice RTF File parsing heap buffer overflow attempt"; flow:to_client, established; content:"rtf"; nocase; content:"|5C|prtdata"; distance:0; nocase; isdataat:200,relative; content:!"|0A|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24450; reference:cve,2007-0245; classtype:attempted-user; sid:17403; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name memory corruption"; flow:to_client,established; flowbits:isset,http.dmg; content:"|00 00 00 00 4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; content:"bXYZ"; content:"gXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; content:"bXYZ"; within:4; distance:8; metadata:policy security-ips drop, service http; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17349; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:established,to_client; content:"<"; content:"onmousedown"; within:24; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17516; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DirectShow AVI decoder buffer overflow attempt"; flow:to_client, established; content:"RIFF"; content:"strn"; distance:0; nocase; byte_test:4,>,128,0,relative, little; metadata:policy security-ips drop, service http; reference:bugtraq,15063; reference:cve,2005-2128; classtype:attempted-user; sid:17443; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,114,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17505; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime SMIL File Handling Integer Overflow attempt"; flow:established,to_client; flowbits:isset,quicktime.smil; content:"<smil>"; pcre:"/(author|copyright|information)/smiR"; content:"content|3D|"; distance:1; nocase; isdataat:1024,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:established,to_client; content:"<"; content:"onmouseup"; within:22; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17514; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT BitDefender Internet Security script code execution attempt"; flow:to_client,established; file_data; content:"|52 61 72 21 1A 07 00 CF 90|"; within:9; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; within:54; distance:43; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0850; classtype:attempted-user; sid:17459; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla NNTP URL Handling Buffer Overflow attempt"; flow:from_server,established; content:"news|3A 2F 2F|"; pcre:"/news\x3a\x2f\x2f.*?\x2f?(profile|search).*?\x2f.*?\x5c[^\s\x22\x27]{0,1}/si"; metadata:policy security-ips drop, service http; reference:bugtraq,12131; reference:cve,2004-1316; classtype:attempted-user; sid:17482; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|MARQUEE"; nocase; content:"onstart"; distance:0; nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0554; reference:url,www.microsoft.com/technet/security/bulletin/ms09-014.mspx; classtype:attempted-user; sid:17462; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:established,to_client; content:"<"; content:"onmouseover"; within:24; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17512; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy security-ips alert, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:17468; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel Malformed Record Code Execution attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|9C 00 02 00|"; byte_test:2,>,0x20,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,17101; reference:cve,2006-0031; classtype:attempted-user; sid:17517; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,138,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17507; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,126,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17506; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:established,to_client; content:"<"; content:"onload"; within:19; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17515; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:established,to_client; content:"<"; content:"onclick"; within:20; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17513; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel malformed Graphic Code Execution"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 0D 10 38 00 00 00 18 01 61 00 61 00 61 00|"; pcre:"/(\x51\x10..\x01(\x02|\x00)|\x01(\x02|\x00)..\x51\x10)/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,16181; reference:cve,2006-0030; classtype:attempted-user; sid:17511; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"|58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0850; classtype:attempted-user; sid:17458; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT BitDefender Internet Security script code execution attempt"; flow:to_client,established; file_data; content:"PK|03 04 0A|"; within:5; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; within:54; distance:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0850; classtype:attempted-user; sid:17460; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*(\x22|\x27)[a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:17467; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Macromedia Flash ActionDefineFunction memory access vulnerability exploit attempt"; flow:to_client,established; file_data; content:"FWS|06|"; within:4; content:"|43 02|"; within:27; byte_test:1,<,64,3,relative; content:"|03|"; within:1; distance:4; pcre:"/^(\x9B|\x8E)/R"; metadata:service http; reference:bugtraq,15334; reference:cve,2005-2628; classtype:attempted-user; sid:17457; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client, established; flowbits:isset,http.quicktime; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|"; distance:0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|"; distance:0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:established, to_client; content:"window|2E|open"; nocase; content:"about:"; within:10; nocase; content:"document|2E|write"; distance:0; nocase; content:"about:"; within:30; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,14920; reference:cve,2005-2706; classtype:attempted-user; sid:17629; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint Legacy file format picture object code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:17646; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:17633; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client, established; flowbits:isset,http.quicktime; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start JNLP java-vm-args buffer overflow attempt"; flow:to_client,established; content:"|3C|j2se"; content:"java|2D|vm|2D|args"; pcre:"/\x3cj2se[^\x3e]*java\x2dvm\x2dargs\s*\x3d\s*\x22[^\x22]*\x2dea\x3a[^\s\x22\x3e]{100}/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:17631; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word array data handling buffer overflow attempt "; flow:to_client,established; flowbits:isset,http.doc; content:"|01 00 00 02 01 00 00 9E 01 00 00 02 01 00 00 96 01 00 00 FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,23804; reference:cve,2007-0035; classtype:attempted-user; sid:17649; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; content:"text-decoration"; nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0943; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:17645; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word Crafted Sprm memory corruption attempt "; flow:to_client,established; flowbits:isset,http.doc; content:"|01 49 66 01 00 00 00 08 D6 FD FF 05 D6 18 04 01 00 00 04 01|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32584; reference:cve,2008-4837; classtype:attempted-user; sid:17591; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ClamAV antivirus CHM file handling denial of service"; flow:to_client, established; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; within:16; distance:36; content:"ITSP"; distance:0; byte_test:4,<,8,12,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30994; reference:cve,2008-1389; reference:url,sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661; classtype:attempted-dos; sid:17602; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client, established; content:"first-letter"; nocase; content:"float: right"; distance:0; nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft XML Core Services cross-site information disclosure attempt"; flow:established,to_client; content:"<|21|DOCTYPE "; nocase; content:"SYSTEM"; distance:0; nocase; content:".parseError"; distance:0; fast_pattern; nocase; pcre:"/<\x21DOCTYPE\s+[^>]*?SYSTEM[^>]*?>.*?\x2EparseError/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32155; reference:cve,2008-4029; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-069.mspx; classtype:attempted-recon; sid:17572; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client, established; flowbits:isset,http.quicktime; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GIF image descriptor memory corruption attempt"; flow:to_client,established; file_data; content:"GIF8"; within:4; content:"a"; within:1; distance:1; byte_test:1,!&,0x80,4,relative; pcre:"/^.{7}\x2C.{5}([\xE0-\xFF]|.{2}[\xE0-\xFF])/sR"; metadata:service http; reference:bugtraq,18915; reference:bugtraq,22630; reference:cve,2006-0007; reference:cve,2007-1071; reference:url,www.microsoft.com/technet/security/bulletin/ms06-039.mspx; classtype:attempted-user; sid:17664; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe BMP image handler buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.bmp; content:"Content-Type: text/plain|0D 0A 0D 0A|BM"; fast_pattern:only; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28874; reference:cve,2008-1765; classtype:attempted-user; sid:17678; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows ASF parsing memory corruption attempt"; flow:established,to_client; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; content:"|91 07 DC B7 B7 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; content:"|E0 7D 90 35 15 E4 CF 11 A9 17 00 80 5F 5C 44 2B|"; byte_test:2,>,0xffc6,52,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/bulletin/ms07-068.mspx; classtype:attempted-user; sid:17711; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java HsbParser.getSoundBank stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,java_class_file.request; file_data; content:"|01 00 2C 28|Ljava|2F|net|2F|URL|3B 29|Ljavax|2F|sound|2F|midi|2F|Soundbank"; content:"|01 00 0C|getSoundbank"; content:"file|3A 2F 2F|"; byte_test:2,>,312,-9,relative,big; content:"|01|"; within:1; distance:-10; pcre:"/^.{2}file|3A 2F 2F|[\x21-\x7E]{305}/R"; metadata:service http; reference:bugtraq,36881; reference:cve,2009-3867; classtype:attempted-user; sid:17776; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Director Movie File Embeded"; flow:established,to_client; content:"application/x-director"; fast_pattern:only; flowbits:set,http.dir; flowbits:noalert; classtype:protocol-command-decode; sid:17801; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:established,to_client; flowbits:isset,http.dir; content:"rcsL"; content:"|FF F0 02 67|"; within:4; distance:203; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17803; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox html tag attributes memory corruption"; flow:established,to_client; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|"; nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]"; distance:0; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla products graphics and XML features integer overflows attempt"; flow:to_client,established; content:"<?xml"; content:"<svg"; distance:0; content:"<filter"; distance:0; pcre:"/^[^\x3E]*(width|height)\s*\x3D\s*(\x22|\x27)([3-9]\d{4}|\d{6})/R"; metadata:policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:16037; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java browser plugin docbase overflow attempt"; flow:established,to_client; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; pcre:"/name\s*=\s*[\x22\x27]docbase[\x22\x27]\s+value\s*=\s*[\x22\x27][^\x22\x27]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18244; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Fax Services Cover Page Editor overflow attempt"; flow:established,to_client; content:"FAXCOVER-VER005w"; nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.vupen.com/english/advisories/2010/3327; classtype:attempted-user; sid:18246; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|"; distance:0; content:"|47 00 00 00|"; distance:0; content:"|08 00 00 00 28 00 00 00|"; within:8; distance:8; byte_test:1,&,0x80,31,relative; pcre:"/^.{10}[\x01\x04\x08\x16\x24\x32]\x00/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3970; reference:url,www.microsoft.com/technet/security/bulletin/MS11-006.mspx; classtype:attempted-user; sid:18265; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer drag-and-drop vulnerability"; flow:established,to_client; content:"CreateObject|28 22|ADODB.Connection|22 29|"; nocase; content:"dbq=http|3A 2F 2F|"; distance:0; fast_pattern; nocase; metadata:service http; reference:bugtraq,11466; reference:cve,2005-0053; reference:url,www.microsoft.com/technet/security/bulletin/MS05-008.mspx; classtype:attempted-user; sid:18282; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer implicit drag and drop file installation attempt"; flow:to_client,established; content:"folder"; nocase; content:"|22|shell|3A|"; distance:0; nocase; pcre:"/folder\s*=\s*\x22shell\x3a/i"; metadata:policy security-ips drop, service http; reference:bugtraq,10973; reference:cve,2004-0839; classtype:attempted-user; sid:18299; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer FTP command injection attempt"; flow:to_client,established; content:"ftp|3A 2F 2F|"; nocase; pcre:"/^[^\s]*\x250[ad]/iR"; metadata:service http; reference:bugtraq,11826; reference:cve,2004-1166; classtype:attempted-user; sid:18300; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML fill method overflow attempt"; flow:from_server,established; content:"|3A 00|f|00|i|00|l|00|l|00|"; nocase; content:"m|00|e|00|t|00|h|00|o|00|d|00|"; distance:0; nocase; pcre:"/<\x00(\w\x00)+\x3a\x00f\x00i\x00l\x00l\x00\s\x00([^>]\x00|>[^\x00])*m\x00e\x00t\x00h\x00o\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x27\x00([^\x27]\x00|\x27[^\x00]){100}|\x22\x00([^\x22]\x00|\x22[^\x00]){100}|([^\s>]\x00|[\s>][^\x00]){100})/i"; metadata:policy security-ips drop; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,www.microsoft.com/technet/security/bulletin/ms06-055.mspx; classtype:attempted-user; sid:18309; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat Reader icc mluc interger overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43729; reference:cve,2010-3622; classtype:attempted-user; sid:18308; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; content:"white|2D|space|3A|normal|3B|"; nocase; pcre:"/pre\s*\x7b\s*white\x2dspace\x3a\s*normal\s*\x3b\s*\x7d/i"; content:"span|20 2F|"; distance:0; nocase; content:"span|20 2F|"; within:14; nocase; pcre:"/(\x26lt\x3b|\x3c)pre(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)\x2fpre(\x26gt\x3b|\x3e)/i"; metadata:policy security-ips drop; reference:cve,2006-1188; classtype:attempted-user; sid:18304; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Microsoft MHTML XSS attempt"; flow:to_client,established; content:"mhtml|3A|http|3A 2F 2F|"; fast_pattern:only; pcre:"/(location\x2e[^\x3d\x3e\x22\x27]*|value|src|href)(\x28|\s*=\s*)(\x22|\x27)?MHTML\x3a(http|file)\x3a\x2f\x2f/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0096; reference:url,www.microsoft.com/technet/security/advisory/2501696.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS11-026.mspx; classtype:attempted-user; sid:18335; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt"; flow:to_client,established; flowbits:isset,http.dxf; file_data; content:"HEADER"; distance:0; content:"|0A 20 20|9"; distance:0; content:"|0A 24|"; within:3; isdataat:92,relative; content:!"|0A|"; within:92; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:18331; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Hypervisor denial of service vfd download attempt"; flow:to_client,established; content:"|29 66 3A E1 58 4E 4F 20 4E 41 4D 45 20 20 20 20 46 41 54 31 32 20 20 20 6A 00|"; fast_pattern:only; reference:cve,2010-0026; reference:url,www.microsoft.com/technet/security/bulletin/MS10-010.mspx; classtype:attempted-admin; sid:18396; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE malformed iframe unicode buffer overflow attempt"; flow:to_client,established; content:"|00|<|00|I|00|F|00|R|00|A|00|M|00|E|00| |00|"; nocase; content:"|00|f|00|i|00|l|00|e|00 3A 00|/|00|/|00|"; distance:0; nocase; pcre:"/|00|<|00|I|00|F|00|R|00|A|00|M|00|E|00|[\s\x00]+[^>]*?s|00|r|00|c[\s\x00]*=[\s\x00]*(\x22|\x27)|00|f|00|i|00|l|00|e|00 3A 00 2f 00 2f 00|[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop, service http; reference:cve,2004-1050; classtype:attempted-user; sid:18468; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes Playlist Overflow Attempt"; flow:established,to_client; flowbits:isset,http.pls; file_data; content:"[playlist]"; within:10; nocase; isdataat:1000; content:"File"; distance:0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2005-0043; classtype:attempted-user; sid:18483; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes Playlist Overflow Attempt"; flow:established,to_client; flowbits:isset,http.m3u.download; file_data; content:"|23|EXTM3U"; within:7; nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader shell metacharacter code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"begin|20|"; within:6; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18527; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime FlashPix Movie file integer overflow attempt"; flow:established, to_client; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Multiple Vendors Microsoft Word file sprmTSetBrc processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|08 D6|"; byte_extract:1,2,NumOfColumns,relative; byte_jump:2,-3,relative,little; content:"|20 D6|"; within:2; distance:-1; byte_test:1,>,NumOfColumns,2,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38218; reference:cve,2009-3302; reference:cve,2010-2563; classtype:attempted-user; sid:18535; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice.org XPM file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,http.xpm; content:"/* XPM */"; fast_pattern; content:"static char *"; distance:0; pcre:"/^[^\x22]+\x22(\d+\x20+){2}/R"; byte_test:10,>,419062,0,relative,string; byte_test:10,>,10244,1,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38218; reference:cve,2009-2949; classtype:attempted-user; sid:18537; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|"; within:300; content:".charCodeAt|28|"; within:100; content:".replace"; within:100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:17111; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime PICT file overread buffer overflow attempt"; flow:established,to_client; content:"|00 11 02 FF 0C 00 FF|"; byte_jump:2,-17,relative,post_offset -4,big; isdataat:1,relative; content:!"|00 FF|"; within:2; metadata:policy security-ips drop; reference:bugtraq,28583; reference:cve,2008-1019; classtype:attempted-user; sid:18561; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows wmf integer overflow attempt"; flow:from_server,established; flowbits:isset,wmf.download; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|00 00|"; within:2; distance:12; byte_test:4,>,0x7fffc002,0,little,; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-046.mspx; classtype:web-application-attack; sid:18583; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF malformed pfragments field"; flow:established,to_client; flowbits:isset,http.rtf; file_data; content:"pFragments"; distance:0; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; classtype:attempted-user; sid:18680; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF malformed second pfragments field"; flow:established,to_client; flowbits:isset,http.rtf; file_data; content:"pFragments"; distance:0; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; classtype:attempted-user; sid:18706; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel BIFF v5 file download attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|09 08 08 00 00 05 05 00|"; flowbits:set,http.xls.biff5; flowbits:noalert; classtype:misc-activity; sid:18810; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat/Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"jp2c|FF 4F|"; content:"|FF 5E 00|"; distance:0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:18801; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT vlc player subtitle buffer overflow attempt"; flow:established,to_client; content:"[Script Info]"; nocase; content:"[Events]"; distance:0; nocase; content:"Dialogue|3A|"; within:11; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; metadata:policy security-ips drop; reference:bugtraq,27015; reference:cve,2007-6681; classtype:attempted-admin; sid:18744; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint bad text header txttype attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|9F 0F 04 00 00 00|"; byte_test:4,>,8,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,www.microsoft.com/technet/security/bulletin/MS06-028.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS11-036.mspx; classtype:attempted-user; sid:16188; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MSXML2 ActiveX malformed HTTP response"; flow:established,to_client; content:"HTTP 4|0A|"; depth:7; reference:cve,2010-2561; reference:url,www.microsoft.com/technet/security/bulletin/ms10-051.mspx; classtype:attempted-dos; sid:18962; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MSXML2 ActiveX malformed HTTP response"; flow:established,to_client; content:"HTTP 99|0A|"; depth:8; reference:cve,2010-2561; reference:url,www.microsoft.com/technet/security/bulletin/ms10-051.mspx; classtype:attempted-dos; sid:18961; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript uuencoded eval statement"; flow:to_client,established; content:"unescape"; nocase; content:"%u0065"; distance:0; nocase; content:"%u0076"; distance:0; nocase; content:"%u0061"; distance:0; nocase; content:"%u006c"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u0065\s*\x25u0076\s*\x25u0061\s*\x25u006c/i"; metadata:policy security-ips drop; classtype:misc-activity; sid:19075; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/Subtype"; nocase; content:"/TrueType"; within:20; nocase; content:"name"; within:1024; byte_test:4,=,0,8,relative; content:"SING"; byte_test:4,!=,0,8,relative; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18987; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript uuencoded noop sled attempt"; flow:to_client,established; content:"unescape"; nocase; content:"%u9090%u9090"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u9090\x25u9090/i"; metadata:policy security-ips drop; classtype:misc-activity; sid:19074; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/Subtype"; nocase; content:"/OpenType"; within:20; nocase; content:"name"; within:1024; byte_test:4,=,0,8,relative; content:"SING"; byte_test:4,!=,0,8,relative; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18986; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Oracle Java Soundbank resource name overflow attempt"; flow:established,to_client; content:"snd|20 00 00|"; byte_test:1,>,0x7F,2,relative; metadata:policy security-ips drop; reference:bugtraq,39070; reference:cve,2010-0839; classtype:attempted-user; sid:19100; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word malformed index code execution attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|02 00 60 00 0C 14 FF 00 04 61 D5 00 B0 00 08 00 53 00 75 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43766; reference:cve,2010-2750; classtype:attempted-user; sid:19153; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MSPaint jpeg with malformed SOFx field exploit attempt"; flow:to_client, established; flowbits:isset, http.jpeg; content:"|FF C0 00 11 08 FF 37 55 99 03 01 22 00 02 11 01 03 11 01|"; metadata:policy security-ips drop; reference:cve,2010-0028; reference:url,www.microsoft.com/technet/security/bulletin/MS10-003.mspx; classtype:attempted-user; sid:19130; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player SWF file MP4 data parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.swf; flowbits:isset,http.mp4; content:"stsc"; byte_test:4,>,0xFFFF,12,relative,big; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,>,10,8,relative,big; pcre:"/^.{12}([^\x00].{3}){10}/sR"; metadata:policy security-ips drop; reference:bugtraq,40801; reference:cve,2010-2162; reference:url,www.adobe.com/support/security/bulletins/apsb10-14.html; classtype:attempted-user; sid:19148; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0490; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; classtype:attempted-user; sid:19147; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS source code disclosure attempt"; flow:to_server,established; content:"Translate|3A| "; nocase; byte_test:1,=,102,0,relative; pcre:"/%.*%/smiI"; metadata:service http; reference:bugtraq,14764; classtype:attempted-recon; sid:17648; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC WAV Formatfile download attempt"; flow:to_server,established; content:".wav"; nocase; flowbits:set,wav_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15079; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Nullsoft Winamp CAF file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,caff_request; content:"CAFF|00 01 00 00|desc"; depth:12; nocase; byte_test:4,>,268435455,32,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2009-0186; classtype:attempted-user; sid:16683; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Microsoft Windows GDIplus integer overflow attempt"; flow:to_client,established; content:"|01 00 00 00|"; content:"|20|EMF"; within:4; distance:36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:misc-activity; sid:16679; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Basic Authorization string overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s[^\n]{512}/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,3230; reference:bugtraq,8375; reference:cve,2001-1067; reference:cve,2003-0727; classtype:attempted-dos; sid:16681; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Citrix Program Neighborhood Agent Buffer Overflow attempt"; flow:from_server,established; content:"|3C|AppData|3E|"; nocase; content:"|3C|InName|3E|"; pcre:"/InName\x3E[^\x3C]{100}/i"; metadata:policy security-ips drop, service http; reference:bugtraq,13373; reference:cve,2004-1078; classtype:attempted-user; sid:17423; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC IBM Lotus Expeditor cai URI handler command execution attempt"; flow:to_client,established; content:"cai|3A|"; nocase; content:"-launcher"; distance:0; nocase; pcre:"/cai\x3a[^\x3e]*?(\x22|\x2522)[^\x3e\x22]*?-launcher/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-1965; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21303813; classtype:attempted-user; sid:17376; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Apache Tomcat allowLinking URIencoding directory traversal attempt"; flow:to_server,established; content:"|25|ae|2F|"; pcre:"/(((\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f)((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}|(((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}(\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f))/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30633; reference:cve,2008-2938; classtype:suspicious-filename-detect; sid:17387; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt"; flow:from_server,established; content:"|3C|AppData|3E|"; nocase; content:"|3C|AppInStartmenu|20|value|3D 22|True|22|"; distance:0; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,13379; reference:cve,2004-1077; classtype:attempted-user; sid:17420; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt"; flow:established,to_server; content:"Authorization|3A 20|Basic"; nocase; isdataat:1332,relative; content:!"|0D 0A|"; within:1332; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33554; reference:cve,2009-0183; classtype:attempted-user; sid:17536; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Apache Struts Information Disclosure Attempt"; flow:established,to_server; content:"/struts/"; nocase; content:"|25|252f"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32104; reference:cve,2008-6505; classtype:attempted-recon; sid:17533; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC excessive HTTP 304 Not Modified responses exploit attempt"; flow:to_client, established, only_stream; content:"HTTP/1.1 304 Not Modified"; content:"HTTP/1.1 304 Not Modified"; distance:0; detection_filter:track by_src, count 20, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0947; reference:cve,2007-6239; classtype:misc-activity; sid:16008; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Mozilla Firefox browser engine  memory corruption attempt"; flow:to_client, established; content:"first-letter"; nocase; content:"direction"; distance:0; nocase; content:"rtl"; within:8; content:"whitespace |3D| "; distance:0; nocase; content:"pre"; within:10; nocase; content:"|3C|span"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Excel REPT integer underflow attempt"; flow:to_client,established; flowbits:isset,xml.download; content:"|3D|rept|28|"; nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31706; reference:cve,2008-4019; classtype:attempted-user; sid:17734; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Apache Tomcat username enumeration attempt"; flow:established,to_server; content:"j_username="; nocase; content:"j_password=%"; nocase; metadata:policy security-ips alert, service http; reference:bugtraq,35196; reference:cve,2009-0580; classtype:attempted-recon; sid:18096; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPPATCH"; depth:9; nocase; isdataat:200,relative; pcre:"/^PROPPATCH\s+[^\s]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:18613; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPFIND"; depth:8; nocase; isdataat:200,relative; pcre:"/^PROPFIND\s+[^\s]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:18612; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"OPTIONS"; depth:7; nocase; isdataat:200,relative; pcre:"/^OPTIONS\s+[^\s]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:18611; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:established,to_server; content:"/zenworks-fileupload/?"; fast_pattern; nocase; pcre:"/(filename|type)=[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP generic PHP code obfuscation attempt"; flow:established,to_server; content:"Array|28|"; content:"|20 20 20 20 2E|"; within:200; classtype:trojan-activity; sid:18493; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt"; sid:15474; gid:3; rev:3; classtype:attempted-dos; detection_filter:track by_src, count 50, seconds 10; reference:cve,2009-0077; reference:url,www.microsoft.com/technet/security/bulletin/MS09-016.mspx; metadata: engine shared, soid 3|15474, service http;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DOS Microsoft ASP.NET bad request denial of service attempt"; sid:15851; gid:3; rev:3; classtype:attempted-dos; detection_filter:track by_dst, count 12, seconds 60; reference:cve,2009-1536; reference:url,www.microsoft.com/technet/security/bulletin/MS09-036.mspx; metadata: engine shared, soid 3|15851, service http, policy balanced-ips alert, policy security-ips alert;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Microsoft ASP.NET viewstate DoS attempt"; sid:15959; gid:3; rev:2; classtype:attempted-dos; reference:cve,2005-1665; reference:url,osvdb.org/show/osvdb/16195; metadata: engine shared, soid 3|15959, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple Quicktime crgn atom parsing buffer overflow attempt"; sid:13897; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.quicktime; reference:bugtraq,28583; reference:cve,2008-1017; metadata: engine shared, soid 3|13897, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office Publisher memory corruption attempt"; sid:13470; gid:3; rev:7; classtype:attempted-user; flowbits:isset,http.pub; reference:bugtraq,27739; reference:cve,2008-0102; reference:url,www.microsoft.com/technet/security/bulletin/MS08-012.mspx; metadata: engine shared, soid 3|13470, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Publisher invalid pathname overwrite"; sid:13471; gid:3; rev:7; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2008-0104; reference:url,www.microsoft.com/technet/security/bulletin/MS08-012.mspx; metadata: engine shared, soid 3|13471, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer data stream memory corruption attempt"; sid:13677; gid:3; rev:6; classtype:attempted-user; reference:bugtraq,28552; reference:cve,2008-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS08-024.mspx; metadata: engine shared, soid 3|13677, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT rtf malformed dpcallout buffer overflow attempt"; sid:15082; gid:3; rev:2; classtype:attempted-user; reference:cve,2008-4028; reference:url,www.microsoft.com/technet/security/bulletin/MS08-072.mspx; metadata: engine shared, soid 3|15082, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word .rtf file double free attempt"; sid:15083; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-4027; reference:url,www.microsoft.com/technet/security/bulletin/MS08-072.mspx; metadata: engine shared, soid 3|15083, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 1"; sid:15451; gid:3; rev:5; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 2"; sid:15452; gid:3; rev:5; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15452;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT WordPad and Office Text Converters XST parsing buffer overflow attempt"; sid:15455; gid:3; rev:1; classtype:attempted-user; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/MS09-010.mspx; metadata: engine shared, soid 3|15455, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT DirectShow MJPEG arbitrary code execution attempt"; sid:15457; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0084; reference:url,www.microsoft.com/technet/security/bulletin/MS09-011.mspx; metadata: engine shared, soid 3|15457, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer navigating between pages race condition attempt"; sid:15458; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0551; reference:url,www.microsoft.com/technet/security/bulletin/MS09-014.mspx; metadata: engine shared, soid 3|15458, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer deleted/unitialized object memory corruption attempt"; sid:15459; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0552; reference:url,www.microsoft.com/technet/security/bulletin/MS09-014.mspx; metadata: engine shared, soid 3|15459, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer ActiveX load/unload race condition attempt"; sid:15460; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0553; reference:url,www.microsoft.com/technet/security/bulletin/MS09-014.mspx; metadata: engine shared, soid 3|15460, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT WordPad WordPerfect 6.x converter buffer overflow attempt"; sid:15466; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0088; reference:url,www.microsoft.com/technet/security/bulletin/MS09-010.mspx; metadata: engine shared, soid 3|15466, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt"; sid:15467; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0235; reference:url,www.microsoft.com/technet/security/bulletin/MS09-010.mspx; metadata: engine shared, soid 3|15467, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word remote code execution attempt"; sid:15524; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0563; reference:url,www.microsoft.com/technet/security/bulletin/MS09-027.mspx; metadata: engine shared, soid 3|15524, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word remote code execution attempt"; sid:15525; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0565; reference:url,www.microsoft.com/technet/security/bulletin/MS09-027.mspx; metadata: engine shared, soid 3|15525, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Works 4.x converter font name buffer overflow attempt"; sid:15526; gid:3; rev:1; classtype:attempted-user; flowbits:isset,works.download; reference:cve,2009-1533; reference:url,www.microsoft.com/technet/security/bulletin/MS09-024.mspx; metadata: engine shared, soid 3|15526, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt"; sid:15680; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1539; reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx; metadata: engine shared, soid 3|15680, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Publisher 2007 file format arbitrary code execution attempt"; sid:15681; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0566; reference:url,www.microsoft.com/technet/security/bulletin/MS09-030.mspx; metadata: engine shared, soid 3|15681, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT javascript deleted reference arbitrary code execution attempt"; sid:15731; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-1917; reference:url,www.microsoft.com/technet/security/bulletin/MS09-034.mspx; metadata: engine shared, soid 3|15731, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer CSS handling memory corruption attempt"; sid:15732; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-1919; reference:url,www.microsoft.com/technet/security/bulletin/MS09-034.mspx; metadata: engine shared, soid 3|15732, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer empty table tag memory corruption attempt"; sid:15733; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1918; reference:url,www.microsoft.com/technet/security/bulletin/MS09-034.mspx; metadata: engine shared, soid 3|15733, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT Microsoft IIS ASP handling buffer overflow"; sid:15974; gid:3; rev:1; classtype:web-application-attack; reference:bugtraq,27676; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|15974, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT malformed avi file mjpeg compression arbitrary code execution attempt"; sid:15995; gid:3; rev:1; classtype:attempted-user; reference:cve,2008-0011; reference:url,www.microsoft.com/technet/security/bulletin/MS08-033.mspx; metadata: engine shared, soid 3|15995, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer data stream header remote code execution attempt"; sid:16149; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1547; reference:url,www.microsoft.com/technet/security/bulletin/MS09-054.mspx; metadata: engine shared, soid 3|16149, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer variant argument validation remote code execution attempt"; sid:16150; gid:3; rev:2; classtype:misc-activity; reference:cve,2009-2529; reference:url,www.microsoft.com/technet/security/bulletin/MS09-054.mspx; metadata: engine shared, soid 3|16150, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer table layout unitialized or deleted object access attempt"; sid:16152; gid:3; rev:1; classtype:misc-activity; reference:cve,2009-2531; reference:url,www.microsoft.com/technet/security/bulletin/MS09-054.mspx; metadata: engine shared, soid 3|16152, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Acrobat Reader U3D line set heap corruption attempt"; sid:16172; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2997; metadata: engine shared, soid 3|16172, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt"; sid:16173; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2998; metadata: engine shared, soid 3|16173, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation off by one index attempt"; sid:16174; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-3458; metadata: engine shared, soid 3|16174, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe collab.removeStateModel denial of service attempt"; sid:16175; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2988; metadata: engine shared, soid 3|16175, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe collab.addStateModel remote corruption attempt"; sid:16176; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2996; metadata: engine shared, soid 3|16176, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft GDI+ Word file Office Art Property Table remote code execution attempt"; sid:16177; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-2528; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16177, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft GDI+ Excel file Office Art Property Table remote code execution attempt"; sid:16178; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-2528; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16178, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt"; sid:16179; gid:3; rev:2; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2009-2497; reference:url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx; metadata: engine shared, soid 3|16179, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft .NET MSIL stack corruption attempt"; sid:16182; gid:3; rev:2; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2009-0090; reference:url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx; metadata: engine shared, soid 3|16182, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft GDI+ TIFF file parsing heap overflow attempt"; sid:16184; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2502; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16184, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft GDI+ compressed TIFF file parsing remote code execution attempt"; sid:16185; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2503; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16185, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT DirectShow MJPEG arbitrary code execution attempt"; sid:16187; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0084; reference:url,www.microsoft.com/technet/security/bulletin/MS09-011.mspx; metadata: engine shared, soid 3|16187, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt"; sid:16221; gid:3; rev:5; classtype:attempted-dos; reference:bugtraq,34414; reference:cve,2009-0077; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-016.mspx; metadata: engine shared, soid 3|16221;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Shockwave arbitrary memory access attempt"; sid:16225; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2009-3465; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; metadata: engine shared, soid 3|16225, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; sid:16226; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3130; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16226, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel oversized ptgFuncVar cparams value buffer overflow attempt"; sid:16233; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3132; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16233, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel file SXDB record exploit attempt"; sid:16235; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3127; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16235, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel file Window/Pane record exploit attempt"; sid:16240; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3133; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16240, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT Microsoft Windows TCP stack zero window size exploit attempt"; sid:16294; gid:3; rev:3; classtype:attempted-dos; reference:bugtraq,31545; reference:cve,2008-4609; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-048.mspx; metadata: engine shared, soid 3|16294;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft WordPad and Office text converter integer overflow attempt"; sid:16314; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-2506; reference:url,www.microsoft.com/technet/security/bulletin/MS09-073.mspx; metadata: engine shared, soid 3|16314, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer mouse move during refresh memory corruption attempt"; sid:16317; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-3673; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; metadata: engine shared, soid 3|16317, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe JPEG2k uninitialized QCC memory corruption attempt"; sid:16323; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2995; metadata: engine shared, soid 3|16323, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer 8 DOM memory corruption attempt"; sid:16326; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-3671; reference:cve,2010-0245; reference:cve,2010-0246; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; metadata: engine shared, soid 3|16326, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows GDIplus TIFF RLE compressed data buffer overflow attempt"; sid:16327; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2503; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16327, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office Project file parsing arbitrary memory access attempt"; sid:16328; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0102; reference:url,www.microsoft.com/technet/security/bulletin/MS09-074.mspx; metadata: engine shared, soid 3|16328, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT Adobe Flash directory traversal attempt"; sid:16337; gid:3; rev:3; classtype:attempted-admin; reference:bugtraq,37420; reference:cve,2009-3792; reference:url,www.adobe.com/support/security/bulletins/apsb09-18.html; metadata: engine shared, soid 3|16337, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft embedded OpenType font engine LZX decompression buffer overflow attempt"; sid:16366; gid:3; rev:2; classtype:attempted-admin; reference:cve,2010-0018; reference:url,www.microsoft.com/technet/security/bulletin/MS10-001.mspx; metadata: engine shared, soid 3|16366, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; sid:16369; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-002.mspx; metadata: engine shared, soid 3|16369, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer onPropertyChange deleteTable memory corruption attempt"; sid:16376; gid:3; rev:1; classtype:misc-activity; reference:cve,2010-0244; metadata: engine shared, soid 3|16376, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt"; sid:16377; gid:3; rev:1; classtype:misc-activity; reference:cve,2010-0247; metadata: engine shared, soid 3|16377, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft PowerPoint out of bounds value remote code execution attempt"; sid:16421; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0032; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16421, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT JPEG with malformed SOFx field"; sid:16422; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.jpeg; reference:cve,2010-0028; reference:url,www.microsoft.com/technet/security/bulletin/MS10-005; metadata: engine shared, soid 3|16422, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel BIFF8 formulas from records parsing code execution attempt"; sid:16462; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0258; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16462, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel BIFF5 formulas from records parsing code execution attempt"; sid:16463; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0258; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16463, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel uninitialized stack variable code execution attempt"; sid:16466; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0262; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16466, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel 2007 invalid comments.xml uninitialized pointer access attempt 1"; sid:16467; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-0263; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16467, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel 2007 invalid comments.xml uninitialized pointer access attempt 2"; sid:16468; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-0263; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16468, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer event handling remote code execution attempt"; sid:16503; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0267; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16503, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer 7 encoded content handling exploit attempt"; sid:16504; gid:3; rev:2; classtype:misc-attack; reference:cve,2010-0488; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16504, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft IE HTML parsing memory corruption attempt"; sid:16505; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0489; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16505, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer designMode-enabled information disclosure attempt"; sid:16509; gid:3; rev:2; classtype:misc-attack; reference:cve,2010-0494; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16509, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE malformed span/div html document heap corruption attempt"; sid:16512; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0807; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16512;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT  Microsoft Viso improper attribute code execution attempt"; sid:16535; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2010-0254; reference:url,www.microsoft.com/technet/security/bulletin/MS10-028.mspx; metadata: engine shared, soid 3|16535, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Viso off-by-one in array index code execution attempt"; sid:16536; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2010-0256; reference:url,www.microsoft.com/technet/security/bulletin/MS10-028.mspx; metadata: engine shared, soid 3|16536, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; sid:16537; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-0268; reference:url,www.microsoft.com/technet/security/bulletin/ms10-027.mspx; metadata: engine shared, soid 3|16537, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Publisher 2007 and earlier stack buffer overflow attempt"; sid:16542; gid:3; rev:3; classtype:attempted-user; flowbits:set,http.pub; reference:cve,2010-0479; reference:url,www.microsoft.com/technet/security/bulletin/MS10-023.mspx; metadata: engine shared, soid 3|16542, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Reader/Acrobat Pro CFF font parsing heap overflow attempt"; sid:16546; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1241; metadata: engine shared, soid 3|16546, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office Excel ptg index parsing code execution attempt"; sid:16553; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3132; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16553, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1"; sid:16561; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; metadata: engine shared, soid 3|16561, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2"; sid:16562; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; metadata: engine shared, soid 3|16562, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3"; sid:16563; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; metadata: engine shared, soid 3|16563, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4"; sid:16564; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; metadata: engine shared, soid 3|16564, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer security zone restriction bypass attempt"; sid:16637; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-0255; reference:url,www.microsoft.com/technet/security/bulletin/MS10-035.mspx; metadata: engine shared, soid 3|16637, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel WOpt record memory corruption attempt"; sid:16644; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0824; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16644, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel SxView record memory pointer corruption attempt"; sid:16645; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1245; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16645, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel RealTimeData record stack buffer overflow attempt"; sid:16646; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1246; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16646, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel RealTimeData record heap memory corruption attempt - 1"; sid:16648; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1247; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16648, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer style sheet array memory corruption attempt"; sid:16659; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-1259; reference:cve,2010-1262; reference:url,www.microsoft.com/technet/security/bulletin/MS10-035.mspx; metadata: engine shared, soid 3|16659, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT quartz.dll MJPEG content processing memory corruption attempt"; sid:16661; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.avi; reference:cve,2010-1879; reference:url,www.microsoft.com/technet/security/bulletin/MS10-033.mspx; metadata: engine shared, soid 3|16661, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Reader CoolType.dll remote memory corruption denial of service attempt"; sid:16801; gid:3; rev:1; classtype:attempted-dos; flowbits:isset,http.pdf; reference:bugtraq,41130; reference:cve,2010-2204; metadata: engine shared, soid 3|16801, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Access ACCWIZ library release after free attempt - 1"; sid:17038; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-1881; reference:url,www.microsoft.com/technet/security/bulletin/MS10-044.mspx; metadata: engine shared, soid 3|17038, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Access ACCWIZ library release after free attempt - 2"; sid:17039; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1881; reference:url,www.microsoft.com/technet/security/bulletin/MS10-044.mspx; metadata: engine shared, soid 3|17039, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft MPEG Layer-3 audio heap corruption attempt"; sid:17117; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.mp3; reference:cve,2010-1882; reference:url,www.microsoft.com/technet/Bulletin/advisory/MS10-052.mspx; metadata: engine shared, soid 3|17117, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt"; sid:17118; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1898; reference:url,www.microsoft.com/technet/security/bulletin/MS10-060.mspx; metadata: engine shared, soid 3|17118, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word sprmCMajority SPRM overflow attempt"; sid:17119; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-1900; reference:url,www.microsoft.com/technet/security/bulletin/MS10-056.mspx; metadata: engine shared, soid 3|17119, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Cinepak Codec VIDC decompression remote code execution attempt"; sid:17128; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.avi; reference:cve,2010-2553; reference:url,www.microsoft.com/technet/security/bulletin/MS10-055.mspx; metadata: engine shared, soid 3|17128, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer invalid object access attempt"; sid:17132; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2560; reference:url,www.microsoft.com/technet/security/bulletin/MS10-053.mspx; metadata: engine shared, soid 3|17132, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows Movie Maker string size overflow attempt"; sid:17135; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.mswmm; reference:cve,2010-2564; reference:url,www.microsoft.com/technet/security/bulletin/MS10-050.mspx; metadata: engine shared, soid 3|17135, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer 6 race condition exploit attempt"; sid:17136; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2558; reference:url,www.microsoft.com/technet/security/bulletin/MS10-053.mspx; metadata: engine shared, soid 3|17136, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Flash invalid data precision arbitrary code execution exploit attempt"; sid:17141; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2216; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; metadata: engine shared, soid 3|17141, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Flash Player SWF ActionScript exploit attempt"; sid:17142; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0209; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; metadata: engine shared, soid 3|17142, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director remote code execution attempt"; sid:17190; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2871; metadata: engine shared, soid 3|17190, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director remote code execution attempt"; sid:17191; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2872; metadata: engine shared, soid 3|17191, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director remote code execution attempt"; sid:17192; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2873; metadata: engine shared, soid 3|17192, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director remote code execution attempt"; sid:17193; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2874; metadata: engine shared, soid 3|17193, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director file tSAC tag exploit attempt"; sid:17194; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2875; metadata: engine shared, soid 3|17194, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director file exploit attempt"; sid:17195; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2876; metadata: engine shared, soid 3|17195, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director file exploit attempt"; sid:17196; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2877; metadata: engine shared, soid 3|17196, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director file exploit attempt"; sid:17197; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2879; metadata: engine shared, soid 3|17197, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Director file exploit attempt"; sid:17198; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2878; metadata: engine shared, soid 3|17198, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft WordPad sprmTSetBrc80 SPRM overflow attempt"; sid:17250; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2563; reference:url,www.microsoft.com/technet/security/bulletin/MS10-067.mspx; metadata: engine shared, soid 3|17250, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT Microsoft IIS FastCGI heap overflow attempt"; sid:17255; gid:3; rev:2; classtype:attempted-admin; reference:cve,2010-2730; reference:url,www.microsoft.com/technet/security/bulletin/MS10-065.mspx; metadata: engine shared, soid 3|17255, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer invalid pointer memory corruption attempt"; sid:17685; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0806; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; metadata: engine shared, soid 3|17685, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer invalid pointer memory corruption attempt"; sid:17686; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0806; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; metadata: engine shared, soid 3|17686, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Internet Explorer invalid pointer memory corruption attempt"; sid:17687; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0806; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; metadata: engine shared, soid 3|17687, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word remote code execution attempt"; sid:17690; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0565; reference:url,www.microsoft.com/technet/security/bulletin/MS09-027.mspx; metadata: engine shared, soid 3|17690, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word remote code execution attempt"; sid:17691; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0565; reference:url,www.microsoft.com/technet/security/bulletin/MS09-027.mspx; metadata: engine shared, soid 3|17691, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word remote code execution attempt"; sid:17742; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0563; reference:url,www.microsoft.com/technet/security/bulletin/MS09-027.mspx; metadata: engine shared, soid 3|17742, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word RTF parsing memory corruption"; sid:17743; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,www.microsoft.com/technet/security/bulletin/MS08-026.mspx; metadata: engine shared, soid 3|17743, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; sid:17747; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,eot.download; reference:cve,2010-1883; reference:url,www.microsoft.com/technet/security/bulletin/MS10-076.mspx; metadata: engine shared, soid 3|17747, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT OpenType Font file parsing denial of service attempt"; sid:17752; gid:3; rev:2; classtype:denial-of-service; flowbits:isset,http.otf; reference:cve,2010-2741; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-078.mspx; metadata: engine shared, soid 3|17752, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word bookmark bound check remote code execution attempt"; sid:17754; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3216; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-079.mspx; metadata: engine shared, soid 3|17754, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word unchecked index value remote code execution attempt"; sid:17755; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3219; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-079.mspx; metadata: engine shared, soid 3|17755, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel GhostRw record exploit attempt"; sid:17763; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3242; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17763, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE8 XSS in toStaticHTML API attempt"; sid:17766; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3243; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS10-072.mspx; metadata: engine shared, soid 3|17766, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE8 XSS in toStaticHTML API 2 attempt"; sid:17767; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3324; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS10-072.mspx; metadata: engine shared, soid 3|17767, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE8 object event handler use after free exploit attempt"; sid:17768; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3326; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; metadata: engine shared, soid 3|17768, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE8 CSS invalid mapping exploit attempt"; sid:17769; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3328; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS10-XXX.mspx; metadata: engine shared, soid 3|17769, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Internet Explorer cross-domain information disclosure attempt"; sid:17771; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3330; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; metadata: engine shared, soid 3|17771, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows Media Player Firefox plugin memory corruption attempt"; sid:17773; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.wmv; reference:cve,2010-2745; reference:url,www.microsoft.com/technet/security/bulletin/MS10-083.mspx; metadata: engine shared, soid 3|17773, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT IE8 CSS XSRF exploit attempt"; sid:17774; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3325; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; metadata: engine shared, soid 3|17774, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft .NET framework EntityObject execution attempt"; sid:18064; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.exe; reference:cve,2010-3228; reference:url,www.microsoft.com/technet/security/bulletin/MS10-077.mspx; metadata: engine shared, soid 3|18064, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft PowerPoint converter bad indirection remote code execution attempt"; sid:18065; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-2572; reference:url,www.microsoft.com/technet/security/bulletin/MS10-088; metadata: engine shared, soid 3|18065, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel malformed MsoDrawingObject record attempt"; sid:18068; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3335; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; metadata: engine shared, soid 3|18068, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Flash Player ActionScript remote code execution attempt"; sid:18180; gid:3; rev:1; classtype:attempted-user; reference:bugtraq,44684; reference:cve,2010-3648; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; metadata: engine shared, soid 3|18180, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office .CGM file cell array heap overflow attempt"; sid:18200; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3945; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18200, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Office TIFF filter remote code execution attempt"; sid:18201; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.tiff; reference:cve,2010-3947; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18201, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft WMI tracing api integer truncation attempt"; sid:18408; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-0045; reference:url,www.microsoft.com/technet/security/bulletin/MS11-011.mspx; metadata: engine shared, soid 3|18408, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft WMI tracing api integer truncation attempt"; sid:18413; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,http.exe; reference:cve,2011-0045; reference:url,www.microsoft.com/technet/security/bulletin/MS11-011.mspx; metadata: engine shared, soid 3|18413, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe OpenAction crafted URI action thru Firefox attempt"; sid:18447; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18447, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft MPEG Layer-3 audio heap corruption attempt"; sid:18463; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.asx; reference:cve,2010-1882; reference:url,www.microsoft.com/technet/Bulletin/advisory/MS10-052.mspx; metadata: engine shared, soid 3|18463, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft .NET framework optimizer escalation attempt"; sid:18624; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3958; reference:url,www.microsoft.com/technet/security/bulletin/MS11-028.mspx; metadata: engine shared, soid 3|18624, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Powerpoint ExObjRefAtom within an OfficeArtClientData container exploit attempt"; sid:18637; gid:3; rev:3; classtype:attempted-admin; flowbits:isset,http.ppt; reference:cve,2011-0976; reference:url,www.microsoft.com/technet/security/bulletin/MS11-022.mspx; metadata: engine shared, soid 3|18637, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Excel OfficeArtSpContainer record exploit attempt"; sid:18638; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,http.xls; reference:cve,2011-0977; reference:url,www.microsoft.com/technet/security/bulletin/MS11-023.mspx; metadata: engine shared, soid 3|18638;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18661; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-0662; reference:url,www.microsoft.com/technet/security/bulletin/MS11-034.mspx; metadata: engine shared, soid 3|18661;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18662; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1229; reference:cve,2011-1231; reference:url,www.microsoft.com/technet/security/bulletin/MS11-034.mspx; metadata: engine shared, soid 3|18662;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18663; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1237; reference:url,www.microsoft.com/technet/security/bulletin/ms11-034.mspx; metadata: engine shared, soid 3|18663;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18664; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1238; reference:url,www.microsoft.com/technet/security/bulletin/ms11-034.mspx; metadata: engine shared, soid 3|18664;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18665; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1239; reference:url,www.microsoft.com/technet/security/bulletin/ms11-034.mspx; metadata: engine shared, soid 3|18665;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18666; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1241; reference:url,www.microsoft.com/technet/security/bulletin/ms11-034.mspx; metadata: engine shared, soid 3|18666;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft win32k.sys escalation of privilege attempt"; sid:18667; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-1242; reference:url,www.microsoft.com/technet/security/bulletin/ms11-034.mspx; metadata: engine shared, soid 3|18667;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Adobe Flash Player undefined tag exploit attempt"; sid:18805; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2214; metadata: engine shared, soid 3|18805, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt"; sid:14251; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3014; reference:url,www.microsoft.com/technet/security/bulletin/MS08-052.mspx; metadata: engine shared, soid 3|14251, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC .NET framework XMLDsig data tampering attempt"; sid:16636; gid:3; rev:2; classtype:misc-attack; reference:cve,2009-0217; reference:url,osvdb.org/show/osvdb/56243; reference:url,www.microsoft.com/technet/security/bulletin/MS10-041.mspx; metadata: engine shared, soid 3|16636, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MISC TRUFFLEHUNTER SFVRT-1008 attack attempt"; sid:17681; gid:3; rev:2; classtype:unknown; flowbits:set,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17681, service http;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC TRUFFLEHUNTER SFVRT-1008 attack attempt"; sid:17682; gid:3; rev:4; classtype:unknown; flowbits:isset,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17682, service http;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MISC TRUFFLEHUNTER SFVRT-1008 attack attempt"; sid:17683; gid:3; rev:2; classtype:unknown; flowbits:set,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17683, service http;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC TRUFFLEHUNTER SFVRT-1008 attack attempt"; sid:17684; gid:3; rev:4; classtype:unknown; flowbits:isset,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17684, service http;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt"; sid:17300; gid:3; rev:1; classtype:attempted-user; flowbits:isset,vqf_file.request; reference:bugtraq,32822; reference:cve,2008-5616; reference:url,trapkit.de/advisories/TKADV2008-014.txt; metadata: engine shared, soid 3|17300, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"NETBIOS Web-based NTLM replay attack attempt"; sid:15124; gid:3; rev:9; classtype:attempted-user; reference:cve,2008-4037; reference:url,www.microsoft.com/technet/security/bulletin/MS08-068.mspx; reference:cve,2008-3009; reference:url,www.microsoft.com/technet/security/bulletin/MS08-076.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS09-013.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS09-014.mspx; reference:cve,2009-0550; reference:url,www.microsoft.com/technet/security/bulletin/MS09-042.mspx; reference:cve,2009-1930; reference:url,www.microsoft.com/technet/security/bulletin/MS10-012.mspx; reference:cve,2010-0231; reference:cve,2000-0834; metadata: engine shared, soid 3|15124;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe JPEG2k uninitialized QCC memory corruption attempt"; sid:16325; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2994; metadata: engine shared, soid 3|16325, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt"; sid:16461; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16461, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt"; sid:17758; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17758, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt"; sid:17760; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17760, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS MS Publisher tyo.oty field heap overflow attempt"; sid:18212; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2010-2569; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; metadata: engine shared, soid 3|18212, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS MS Publisher column and row remote code execution attempt"; sid:18213; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2010-2570; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; metadata: engine shared, soid 3|18213, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS MS Publisher 97 conversion remote code execution attempt"; sid:18214; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2010-2571; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; metadata: engine shared, soid 3|18214, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer html time manipulation attempt"; sid:18218; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3346; reference:url,www.microsoft.com/technet/security/bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18218, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft FlashPix tile length overflow attempt"; sid:18229; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.fpx; reference:cve,2010-3952; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18229, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Publisher memory corruption attempt"; sid:18230; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2010-3954; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; metadata: engine shared, soid 3|18230, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office TIFFIM32.FLT filter memory corruption attempt"; sid:18236; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.tiff; reference:cve,2010-3949; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18236, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Data Access Components library attempt"; sid:18276; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0026; reference:url,www.microsoft.com/technet/security/bulletin/MS11-002.mspx; metadata: engine shared, soid 3|18276, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel BRAI record remote code execution attempt"; sid:18399; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0549; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|18399, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt"; sid:18400; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-0030; reference:url,www.microsoft.com/technet/security/bulletin/MS11-010.mspx; metadata: engine shared, soid 3|18400, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; sid:18402; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0033; reference:url,www.microsoft.com/technet/security/bulletin/MS11-007.mspx; metadata: engine shared, soid 3|18402, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt"; sid:18405; gid:3; rev:1; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2011-0039; reference:url,www.microsoft.com/technet/security/bulletin/MS11-014.mspx; metadata: engine shared, soid 3|18405, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Windows Server 2003 update service principal name spn dos executable attempt"; sid:18406; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-0040; reference:url,www.microsoft.com/technet/security/bulletin/MS11-005.mspx; metadata: engine shared, soid 3|18406, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt"; sid:18409; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,exe.download; reference:cve,2011-0086; reference:url,www.microsoft.com/technet/security/bulletin/MS11-012.mspx; metadata: engine shared, soid 3|18409, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt"; sid:18410; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,exe.download; reference:cve,2011-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS11-012.mspx; metadata: engine shared, soid 3|18410, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt"; sid:18411; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,http.exe; reference:cve,2011-0088; reference:url,www.microsoft.com/technet/security/bulletin/MS11-012.mspx; metadata: engine shared, soid 3|18411, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt"; sid:18412; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,http.exe; reference:cve,2011-0089; reference:url,www.microsoft.com/technet/security/bulletin/MS11-012.mspx; metadata: engine shared, soid 3|18412, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPECIFIC-THREATS Microsoft Visio deserialization double free attempt"; sid:18415; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2011-0092; reference:url,www.microsoft.com/technet/security/bulletin/MS11-008.mspx; metadata: engine shared, soid 3|18415, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPECIFIC-THREATS Microsoft Visio ORMinfo classes length overflow attempt"; sid:18416; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2011-0093; reference:url,www.microsoft.com/technet/security/bulletin/MS11-008.mspx; metadata: engine shared, soid 3|18416, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPECIFIC-THREATS Microsoft Visio ORMinfo classes length overflow attempt"; sid:18417; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2011-0093; reference:url,www.microsoft.com/technet/security/bulletin/MS11-008.mspx; metadata: engine shared, soid 3|18417, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash player ActionScript apply function memory corruption attempt"; sid:18418; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0558; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18418, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash player ActionScript ASnative function remote code execution attempt"; sid:18420; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0559; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18420, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash player ActionScript beginGradientFill memory corruption attempt"; sid:18421; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0561; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18421, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash forged atom type attempt"; sid:18444; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0574; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18444;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat Universal 3D stream memory corruption attempt"; sid:18448; gid:3; rev:3; classtype:attempted-user; reference:cve,2011-0592; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18448, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt"; sid:18449; gid:3; rev:3; classtype:attempted-user; reference:cve,2011-0594; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18449, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed BMP RGBQUAD attempt"; sid:18450; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.bmp; reference:cve,2011-0596; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18450;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat ICC color integer overflow attempt"; sid:18451; gid:3; rev:3; classtype:attempted-user; reference:cve,2011-0598; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18451, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe malicious IFF memory corruption attempt"; sid:18452; gid:3; rev:2; classtype:attempted-admin; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18452;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt"; sid:18453; gid:3; rev:4; classtype:attempted-user; reference:cve,2011-0593; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18453, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt"; sid:18454; gid:3; rev:3; classtype:attempted-user; reference:cve,2011-0599; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18454, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed jpeg2000 superbox attempt"; sid:18455; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2011-0602; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18455;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adoboe Reader U3D rgba parsing overflow attempt"; sid:18457; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18457, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Media Player dvr-ms file parsing remote code execution attempt"; sid:18498; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0042; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-015.mspx; metadata: engine shared, soid 3|18498;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash ActionScript Actionlf out of range negative offset attempt"; sid:18502; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0560; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18502, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt"; sid:18503; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0578; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18503, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionConstantPool overflow attempt"; sid:18504; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0607; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18504, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionPush overflow attempt"; sid:18505; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2011-0608; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18505, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS embedded Shockwave dropper download"; sid:18543; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; metadata: engine shared, soid 3|18543, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed record call to freed object attempt"; sid:18635; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2011-0065; reference:url,www.microsoft.com/technet/security/bulletin/MS11-022.mspx; metadata: engine shared, soid 3|18635, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft PowerPoint SlideAtom record exploit attempt"; sid:18636; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2011-0656; reference:url,www.microsoft.com/technet/security/bulletin/MS11-022.mspx; metadata: engine shared, soid 3|18636, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt"; sid:18641; gid:3; rev:1; classtype:attempted-admin; flowbits:isset,http.xls; reference:cve,2011-0980; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18641;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word Converter sprmTSplit overflow attempt"; sid:18642; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0028; reference:url,www.microsoft.com/technet/security/bulletin/MS11-033.mspx; metadata: engine shared, soid 3|18642, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Word Converter sprmTTextFflow overflow attempt"; sid:18643; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0028; reference:url,www.microsoft.com/technet/security/bulletin/MS11-033.mspx; metadata: engine shared, soid 3|18643, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt"; sid:18644; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-0034; reference:url,www.microsoft.com/technet/security/bulletin/MS11-032.mspx; metadata: engine shared, soid 3|18644, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft GDI+ arbitrary code execution attempt"; sid:18645; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.emf; reference:cve,2011-0041; reference:url,www.microsoft.com/technet/security/bulletin/MS11-029.mspx; metadata: engine shared, soid 3|18645;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer 6/7 CSS swapNode memory corruption attempt"; sid:18646; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0094; reference:url,www.microsoft.com/technet/security/bulletin/MS11-018.mspx; metadata: engine shared, soid 3|18646, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows AFD.SYS null write attempt"; sid:18691; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-1249; metadata: engine shared, soid 3|18691, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel sheet object type confusion exploit attempt"; sid:18740; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0258; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|18740, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Visio Data Type Memory Corruption"; sid:18755; gid:3; rev:2; classtype:attempted-user; flowbits:isset,visio.request; reference:bugtraq,46138; reference:cve,2011-0093; metadata: engine shared, soid 3|18755, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution"; sid:18771; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,40531; reference:cve,2010-1253; metadata: engine shared, soid 3|18771;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution"; sid:18772; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,40531; reference:cve,2010-1253; metadata: engine shared, soid 3|18772;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt"; sid:18806; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|18806, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SQL Microsoft SQL Server Backup Database File integer overflow attempt"; sid:13888; gid:3; rev:4; classtype:attempted-admin; flowbits:isset,backup_file.request; reference:cve,2008-0107; reference:url,www.microsoft.com/technet/security/bulletin/MS08-040.mspx; metadata: engine shared, soid 3|13888, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SQL Microsoft SQL Server Backup Database File integer overflow attempt"; sid:13889; gid:3; rev:4; classtype:attempted-admin; flowbits:isset,backup_file.request; reference:cve,2008-0107; reference:url,www.microsoft.com/technet/security/bulletin/MS08-040.mspx; metadata: engine shared, soid 3|13889, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SQL Microsoft SQL Server Backup Database File integer overflow attempt"; sid:13890; gid:3; rev:4; classtype:attempted-admin; flowbits:isset,backup_file.request; reference:cve,2008-0107; reference:url,www.microsoft.com/technet/security/bulletin/MS08-040.mspx; metadata: engine shared, soid 3|13890, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid access"; sid:13451; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; reference:url,www.microsoft.com/technet/security/bulletin/ms08-010.mspx; metadata: engine shared, soid 3|13451;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid unicode access"; sid:13452; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; reference:url,www.microsoft.com/technet/security/bulletin/ms08-010.mspx; metadata: engine shared, soid 3|13452;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid access"; sid:13457; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0065; reference:url,www.microsoft.com/technet/security/bulletin/MS08-008.mspx; metadata: engine shared, soid 3|13457, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid unicode access"; sid:13458; gid:3; rev:3; classtype:attempted-user; reference:cve,2007-0065; reference:url,www.microsoft.com/technet/security/bulletin/MS08-008.mspx; metadata: engine shared, soid 3|13458;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call access"; sid:13459; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0065; reference:url,www.microsoft.com/technet/security/bulletin/MS08-008.mspx; metadata: engine shared, soid 3|13459, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call unicode access"; sid:13460; gid:3; rev:3; classtype:attempted-user; reference:cve,2007-0065; reference:url,www.microsoft.com/technet/security/bulletin/MS08-008.mspx; metadata: engine shared, soid 3|13460;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid access"; sid:13580; gid:3; rev:3; classtype:attempted-user; reference:cve,2006-4695; reference:url,www.microsoft.com/technet/security/bulletin/MS08-017.mspx; metadata: engine shared, soid 3|13580;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid unicode access"; sid:13581; gid:3; rev:3; classtype:attempted-user; reference:cve,2006-4695; reference:url,www.microsoft.com/technet/security/bulletin/MS08-017.mspx; metadata: engine shared, soid 3|13581;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid access"; sid:13668; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13668, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid unicode access"; sid:13669; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13669;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call access"; sid:13670; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13670, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call unicode access"; sid:13671; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13671;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid access"; sid:13672; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13672, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid unicode access"; sid:13673; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13673;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call access"; sid:13674; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13674, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call unicode access"; sid:13675; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1086; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-023.mspx; metadata: engine shared, soid 3|13675;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX sapi.dll ActiveX clsid access"; sid:13828; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13828;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX sapi.dll ActiveX clsid unicode access"; sid:13829; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13829;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid access"; sid:13830; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13830;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid unicode access"; sid:13831; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13831;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX backweb ActiveX clsid access"; sid:13832; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13832;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX backweb ActiveX clsid unicode access"; sid:13833; gid:3; rev:4; classtype:attempted-user; reference:cve,2007-0675; reference:url,www.microsoft.com/technet/security/bulletin/MS08-032.mspx; metadata: engine shared, soid 3|13833;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Message System ActiveX clsid access"; sid:13965; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-0082; reference:url,www.microsoft.com/technet/security/bulletin/MS08-050.mspx; metadata: engine shared, soid 3|13965, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Message System ActiveX clsid unicode access"; sid:13966; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-0082; reference:url,www.microsoft.com/technet/security/bulletin/MS08-050.mspx; metadata: engine shared, soid 3|13966;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Message System ActiveX function call access"; sid:13967; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-0082; reference:url,www.microsoft.com/technet/security/bulletin/MS08-050.mspx; metadata: engine shared, soid 3|13967, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Message System ActiveX function call unicode access"; sid:13968; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-0082; reference:url,www.microsoft.com/technet/security/bulletin/MS08-050.mspx; metadata: engine shared, soid 3|13968;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid access"; sid:14255; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; metadata: engine shared, soid 3|14255, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid unicode access"; sid:14256; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; metadata: engine shared, soid 3|14256;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call access"; sid:14257; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; metadata: engine shared, soid 3|14257, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call unicode access"; sid:14258; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; metadata: engine shared, soid 3|14258;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid access"; sid:15084; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15084, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid unicode access"; sid:15085; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15085;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call access"; sid:15086; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15086, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call unicode access"; sid:15087; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15087;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid access"; sid:15088; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15088, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid unicode access"; sid:15089; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15089;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call access"; sid:15090; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15090, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call unicode access"; sid:15091; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15091;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid access"; sid:15092; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15092, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid unicode access"; sid:15093; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15093;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call access"; sid:15094; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15094, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call unicode access"; sid:15095; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15095;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid access"; sid:15096; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15096, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid unicode access"; sid:15097; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15097;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call access"; sid:15098; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15098, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call unicode access"; sid:15099; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15099;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid access"; sid:15100; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15100, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid unicode access"; sid:15101; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15101;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call access"; sid:15102; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15102, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call unicode access"; sid:15103; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15103;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid access"; sid:15109; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15109, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid unicode access"; sid:15110; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15110;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid unicode access"; sid:15111; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-014.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS04-038.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15111;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 2 ActiveX function call access"; sid:15112; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-014.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS04-038.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15112, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 2 ActiveX function call unicode access"; sid:15113; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-014.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS04-038.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15113;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access"; sid:15118; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15118, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access"; sid:15119; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15119;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access"; sid:15120; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15120, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access"; sid:15121; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15121;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid access"; sid:15122; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-014.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS04-038.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15122, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; sid:15685; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15685, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid unicode access"; sid:15686; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15686;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; sid:15687; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15687, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call unicode access"; sid:15688; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15688;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; sid:15689; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15689, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid unicode access"; sid:15690; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15690;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; sid:15691; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15691, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call unicode access"; sid:15692; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx; metadata: engine shared, soid 3|15692;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid access "; sid:15861; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/bulletin/MS09-044.mspx; metadata: engine shared, soid 3|15861, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid unicode access "; sid:15862; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/bulletin/MS09-044.mspx; metadata: engine shared, soid 3|15862;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call access "; sid:15863; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/bulletin/MS09-044.mspx; metadata: engine shared, soid 3|15863, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call unicode access "; sid:15864; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/bulletin/MS09-044.mspx; metadata: engine shared, soid 3|15864;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid access"; sid:16371; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,37759; reference:cve,2009-3958; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; metadata: engine shared, soid 3|16371, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access"; sid:16372; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,37759; reference:cve,2009-3958; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; metadata: engine shared, soid 3|16372;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AcroPDF.PDF ActiveX clsid access"; sid:16386; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2987; metadata: engine shared, soid 3|16386;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access"; sid:16387; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2987; metadata: engine shared, soid 3|16387;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AcroPDF.PDF ActiveX function call access"; sid:16388; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2987; metadata: engine shared, soid 3|16388;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access"; sid:16389; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2987; metadata: engine shared, soid 3|16389;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid access"; sid:16419; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0252; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-008.mspx; metadata: engine shared, soid 3|16419, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid unicode access"; sid:16420; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0252; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-008.mspx; metadata: engine shared, soid 3|16420;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by CLSID"; sid:16510; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0805; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16510, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by ProgID"; sid:16511; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0805; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16511, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by CLSID / param tag"; sid:16559; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0805; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16559, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MS Access multiple control instantiation memory corruption attempt"; sid:17037; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0814; reference:url,www.microsoft.com/technet/security/bulletin/MS10-044.mspx; metadata: engine shared, soid 3|17037, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HtmlDlgHelper ActiveX clsid access"; sid:17770; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3329; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; metadata: engine shared, soid 3|17770, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Scriptlet Component ActiveX clsid access"; sid:17772; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3331; reference:url,www.microsoft.com/technet/security/bulletin/MS10-071.mspx; metadata: engine shared, soid 3|17772, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt"; sid:18197; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3340; reference:url,www.microsoft.com/technet/security/bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18197, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt"; sid:18198; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3340; reference:url,www.microsoft.com/technet/security/bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18198, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt"; sid:18199; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3340; reference:url,www.microsoft.com/technet/security/bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18199, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Messenger ActiveX clsid access"; sid:18668; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-1243; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-027.mspx; metadata: engine shared, soid 3|18668, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft IE8 Developer Tool ActiveX clsid access"; sid:18672; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0811; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-027.mspx; metadata: engine shared, soid 3|18672, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt"; sid:16222; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.bmp; reference:cve,2009-2989; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; reference:cve,2009-3678; reference:url,www.microsoft.com/technet/security/advisory/2028859.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS10-043.mspx; metadata: engine shared, soid 3|16222, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt"; sid:16370; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-3955; metadata: engine shared, soid 3|16370, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid access"; sid:13453; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-0078; reference:url,www.microsoft.com/technet/security/bulletin/MS08-010.mspx; metadata: engine shared, soid 3|13453, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid unicode access"; sid:13454; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-0078; reference:url,www.microsoft.com/technet/security/bulletin/MS08-010.mspx; metadata: engine shared, soid 3|13454;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call access"; sid:13455; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-0078; reference:url,www.microsoft.com/technet/security/bulletin/MS08-010.mspx; metadata: engine shared, soid 3|13455, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call unicode access"; sid:13456; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-0078; reference:url,www.microsoft.com/technet/security/bulletin/MS08-010.mspx; metadata: engine shared, soid 3|13456;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Works file converter file section length headers memory corruption attempt"; sid:13466; gid:3; rev:4; classtype:attempted-user; flowbits:isset,works.download; reference:bugtraq,27657; reference:cve,2007-0216; reference:url,www.microsoft.com/technet/security/bulletin/ms08-011.mspx; metadata: engine shared, soid 3|13466, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft WebDAV MiniRedir remote code execution attempt"; sid:13474; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-0080; reference:url,www.microsoft.com/technet/security/bulletin/ms08-007.mspx; metadata: engine shared, soid 3|13474, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel macro validation arbitrary code execution attempt"; sid:13569; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-0081; reference:url,www.microsoft.com/technet/security/bulletin/MS08-014.mspx; metadata: engine shared, soid 3|13569;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel cf record arbitrary code excecution attempt"; sid:13570; gid:3; rev:7; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-0117; reference:url,www.microsoft.com/technet/security/bulletin/MS08-014.mspx; metadata: engine shared, soid 3|13570, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel dval record arbitrary code excecution attempt"; sid:13571; gid:3; rev:7; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-0111; reference:url,www.microsoft.com/technet/security/bulletin/MS08-014.mspx; metadata: engine shared, soid 3|13571, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint malformed shapeid arbitrary code execution attempt"; sid:13572; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2008-0118; reference:url,www.microsoft.com/technet/security/bulletin/ms08-016.mspx; metadata: engine shared, soid 3|13572, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Outlook arbitrary command line attempt"; sid:13573; gid:3; rev:3; classtype:misc-attack; reference:cve,2008-0110; reference:url,www.microsoft.com/technet/security/bulletin/MS08-015.mspx; metadata: engine shared, soid 3|13573;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Access download attempt"; sid:13626; gid:3; rev:5; classtype:suspicious-filename-detect; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,www.microsoft.com/technet/security/advisory/950627.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-028.mspx; metadata: engine shared, soid 3|13626, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Access JSDB download attempt"; sid:13629; gid:3; rev:5; classtype:suspicious-filename-detect; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,www.microsoft.com/technet/security/advisory/950627.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-028.mspx; metadata: engine shared, soid 3|13629, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Access TJDB download attempt"; sid:13630; gid:3; rev:5; classtype:suspicious-filename-detect; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,www.microsoft.com/technet/security/advisory/950627.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-028.mspx; metadata: engine shared, soid 3|13630, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Access MSISAM download attempt"; sid:13633; gid:3; rev:5; classtype:suspicious-filename-detect; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,www.microsoft.com/technet/security/advisory/950627.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS08-028.mspx; metadata: engine shared, soid 3|13633, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Visio DXF file invalid memory allocation exploit attempt"; sid:13665; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.dxf; reference:cve,2008-1090; reference:url,www.microsoft.com/technet/security/bulletin/MS08-019.mspx; metadata: engine shared, soid 3|13665, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT DirectX SAMI file parsing buffer overflow attempt"; sid:13823; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1444; reference:url,www.microsoft.com/technet/security/bulletin/MS08-033.mspx; metadata: engine shared, soid 3|13823, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed mjpeg arbitrary code execution attempt"; sid:13824; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-0011; reference:url,www.microsoft.com/technet/security/bulletin/MS08-033.mspx; metadata: engine shared, soid 3|13824, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer request header overwrite"; sid:13834; gid:3; rev:5; classtype:misc-activity; reference:cve,2008-1544; reference:url,www.microsoft.com/technet/security/bulletin/MS08-031.mspx; metadata: engine shared, soid 3|13834, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft malformed saved search heap corruption attempt"; sid:13893; gid:3; rev:5; classtype:attempted-admin; flowbits:isset,http.search-ms; reference:cve,2008-1435; reference:url,www.microsoft.com/technet/security/bulletin/MS08-038.mspx; metadata: engine shared, soid 3|13893, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt"; sid:13960; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-2255; reference:url,www.microsoft.com/technet/security/bulletin/MS08-045.mspx; metadata: engine shared, soid 3|13960, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer table layout access violation vulnerability"; sid:13961; gid:3; rev:3; classtype:misc-attack; reference:cve,2008-2258; reference:url,www.microsoft.com/technet/security/bulletin/ms08-045.mspx; metadata: engine shared, soid 3|13961, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer MHTML zone control bypass attempt"; sid:13962; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1448; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-048.mspx; metadata: engine shared, soid 3|13962;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer argument validation in print preview handling vulnerability"; sid:13963; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-2259; reference:url,www.microsoft.com/technet/security/bulletin/ms08-045.mspx; metadata: engine shared, soid 3|13963, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer span frontier parsing memory corruption"; sid:13964; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-2254; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-045.mspx; metadata: engine shared, soid 3|13964, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office eps filters memory corruption attempt"; sid:13970; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.eps.download; reference:cve,2008-3019; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-044.mspx; metadata: engine shared, soid 3|13970, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; sid:13971; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2008-1455; reference:url,www.microsoft.com/technet/security/bulletin/ms08-051.mspx; metadata: engine shared, soid 3|13971, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel country record arbitrary code execution attempt"; sid:13972; gid:3; rev:8; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,www.microsoft.com/technet/security/Bulletin/ms08-043.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/ms08-074.mspx; metadata: engine shared, soid 3|13972, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel format record code execution attempt"; sid:13973; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3005; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-043.mspx; metadata: engine shared, soid 3|13973, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer XHTML element memory corruption attempt"; sid:13974; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-2257; reference:url,www.microsoft.com/technet/security/bulletin/MS08-045.mspx; metadata: engine shared, soid 3|13974;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Event System ActiveX clsid access"; sid:13975; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1457; reference:url,www.microsoft.com/technet/security/bulletin/MS08-049.mspx; metadata: engine shared, soid 3|13975, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access"; sid:13976; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1457; reference:url,www.microsoft.com/technet/security/bulletin/MS08-049.mspx; metadata: engine shared, soid 3|13976;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Event System ActiveX function call access"; sid:13977; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1457; reference:url,www.microsoft.com/technet/security/bulletin/MS08-049.mspx; metadata: engine shared, soid 3|13977, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access"; sid:13978; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-1457; reference:url,www.microsoft.com/technet/security/bulletin/MS08-049.mspx; metadata: engine shared, soid 3|13978;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Event System Subscription VBScript access"; sid:13979; gid:3; rev:6; classtype:attempted-user; reference:cve,2008-1457; reference:url,www.microsoft.com/technet/security/bulletin/MS08-049.mspx; metadata: engine shared, soid 3|13979, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer http status response memory corruption vulnerability"; sid:13980; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-2256; reference:url,www.microsoft.com/technet/security/bulletin/MS08-045.mspx; metadata: engine shared, soid 3|13980, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed chart arbitrary code execution attempt"; sid:13981; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3004; reference:url,www.microsoft.com/technet/security/bulletin/MS08-043.mspx; metadata: engine shared, soid 3|13981, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GDI VML gradient size heap overflow attempt"; sid:14261; gid:3; rev:5; classtype:attempted-user; reference:cve,2007-5348; reference:url,www.microsoft.com/technet/security/bulletin/MS08-052.mspx; metadata: engine shared, soid 3|14261, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OneNote iframe caller exploit attempt"; sid:14262; gid:3; rev:3; classtype:web-application-attack; reference:cve,2008-3007; reference:url,www.microsoft.com/technet/security/bulletin/MS08-055.mspx; metadata: engine shared, soid 3|14262;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel invalid FRTWrapper record buffer overflow attempt"; sid:14641; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3471; reference:url,www.microsoft.com/technet/security/bulletin/MS08-057.mspx; metadata: engine shared, soid 3|14641, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel file with embedded ActiveX control"; sid:14642; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3477; reference:url,www.microsoft.com/technet/security/bulletin/MS08-057.mspx; metadata: engine shared, soid 3|14642, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; sid:14643; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-2947; reference:url,www.microsoft.com/technet/security/bulletin/MS08-058.mspx; metadata: engine shared, soid 3|14643, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer cross domain unfocusable HTML element"; sid:14644; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3472; reference:url,www.microsoft.com/technet/security/bulletin/MS08-058.mspx; metadata: engine shared, soid 3|14644;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer cross domain setExpression exploit attempt"; sid:14645; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3476; reference:url,www.microsoft.com/technet/security/bulletin/MS08-058.mspx; metadata: engine shared, soid 3|14645, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE XSS mouseevent PII disclosure attempt"; sid:14656; gid:3; rev:3; classtype:web-application-activity; reference:cve,2008-3473; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-053.mspx; metadata: engine shared, soid 3|14656, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE cross domain componentFromPoint memory corruption attempt"; sid:14657; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3475; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-058.mspx; metadata: engine shared, soid 3|14657, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft XML core services cross-domain information disclosure attempt"; sid:15011; gid:3; rev:4; classtype:misc-attack; reference:cve,2008-4033; reference:url,www.microsoft.com/technet/security/bulletin/MS08-069.mspx; metadata: engine shared, soid 3|15011, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Visual Basic 6.0 malformed AVI buffer overflow attempt"; sid:15104; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4255; reference:url,www.microsoft.com/technet/security/bulletin/MS08-070.mspx; metadata: engine shared, soid 3|15104, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft GDI WMF file parsing integer overflow attempt"; sid:15105; gid:3; rev:5; classtype:attempted-admin; flowbits:isset,wmf.download; reference:cve,2008-2249; reference:url,www.microsoft.com/technet/security/bulletin/MS08-071.mspx; metadata: engine shared, soid 3|15105, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word .rtf file integer overflow attempt"; sid:15106; gid:3; rev:2; classtype:misc-attack; reference:cve,2008-4025; reference:url,www.microsoft.com/technet/security/bulletin/MS08-072.mspx; metadata: engine shared, soid 3|15106, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word .rtf file stylesheet buffer overflow attempt"; sid:15107; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.rtf; reference:cve,2008-4031; reference:url,www.microsoft.com/technet/security/bulletin/MS08-072.mspx; metadata: engine shared, soid 3|15107, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Office Sharepoint Server elevation of privilege exploit attempt"; sid:15108; gid:3; rev:2; classtype:attempted-admin; reference:cve,2008-4032; reference:url,www.microsoft.com/technet/security/bulletin/MS08-077.mspx; metadata: engine shared, soid 3|15108, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer embed src buffer overflow attempt"; sid:15114; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-4261; reference:url,www.microsoft.com/technet/security/bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15114, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT WebDAV pathname buffer overflow attempt"; sid:15115; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4259; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-073.mspx; metadata: engine shared, soid 3|15115;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows search protocol handler access attempt"; sid:15116; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-4269; reference:url,www.microsoft.com/technet/security/bulletin/MS08-075.mspx; metadata: engine shared, soid 3|15116, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Microsoft Office Visio invalid ho tag attempt"; sid:15299; gid:3; rev:3; classtype:attempted-user; flowbits:isset,visio.request; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,www.microsoft.com/technet/security/bulletin/MS09-005; metadata: engine shared, soid 3|15299, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Malformed Visio IconBitsComponent arbitrary code execution attempt"; sid:15303; gid:3; rev:2; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2009-0095; reference:url,www.microsoft.com/technet/security/bulletin/ms09-005.mspx; metadata: engine shared, soid 3|15303, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt"; sid:15304; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0075; reference:url,www.microsoft.com/technet/security/bulletin/MS09-002.mspx; metadata: engine shared, soid 3|15304, service http, policy balanced-ips alert, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt"; sid:15305; gid:3; rev:4; classtype:attempted-user; reference:cve,2009-0076; reference:url,www.microsoft.com/technet/security/bulletin/MS09-002.mspx; metadata: engine shared, soid 3|15305, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer marquee tag onstart memory corruption"; sid:15461; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0554; reference:url,www.microsoft.com/technet/security/bulletin/MS09-014.mspx; metadata: engine shared, soid 3|15461, service http, policy balanced-ips alert, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt"; sid:15462; gid:3; rev:8; classtype:attempted-user; reference:bugtraq,35462; reference:cve,2005-2922; reference:cve,2009-0086; reference:cve,2009-2121; reference:url,www.microsoft.com/technet/security/bulletin/MS09-013.mspx; metadata: engine shared, soid 3|15462, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Safari-IE SearchPath blended threat dll request"; sid:15468; gid:3; rev:4; classtype:attempted-user; flowbits:set,safari.dll; flowbits:noalert; reference:cve,2008-2540; reference:url,www.microsoft.com/technet/security/bulletin/MS09-015.mspx; metadata: engine shared, soid 3|15468, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft WordPad and Office text converters integer underflow attempt"; sid:15469; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS09-010.mspx; metadata: engine shared, soid 3|15469, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT ISA Server cross-site scripting attempt"; sid:15475; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-0237; reference:url,www.microsoft.com/technet/security/bulletin/MS09-016.mspx; metadata: engine shared, soid 3|15475, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT TRUFFLEHUNTER SFVRT-1003 attack attempt"; sid:15480; gid:3; rev:1; classtype:attempted-user; metadata: engine shared, soid 3|15480, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PowerPoint 95 converter CString in ExEmbed container buffer overflow attempt"; sid:15499; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-1129; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15499, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint LinkedSlide memory corruption"; sid:15500; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-0221; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15500, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint ParaBuildAtom memory corruption attempt"; sid:15501; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-0224; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15501, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint DiagramBuildContainer memory corruption attempt"; sid:15502; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-0224; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15502, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Download of PowerPoint 95 file"; sid:15503; gid:3; rev:1; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15503, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Download of PowerPoint 4.0 file"; sid:15504; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0220; reference:cve,2009-0223; reference:cve,2009-0226; reference:cve,2009-0227; reference:cve,2009-1137; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15504, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint HashCode10Atom memory corruption attempt"; sid:15505; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-1130; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15505, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint CurrentUserAtom remote code execution attempt"; sid:15506; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-1131; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15506, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt"; sid:15517; gid:3; rev:5; classtype:attempted-user; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,www.microsoft.com/technet/security/advisory/971778.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx; metadata: engine shared, soid 3|15517, service http, policy balanced-ips alert, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; sid:15529; gid:3; rev:2; classtype:misc-attack; reference:cve,2007-3091; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15529, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Unexpected method call remote code execution attempt"; sid:15531; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-1141; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15531;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE XML HttpRequest race condition exploit attempt"; sid:15534; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1528; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15534, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE setCapture heap corruption exploit attempt"; sid:15535; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1529; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15535, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE invalid object modification exploit attempt"; sid:15536; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1530; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15536, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel MsoDrawingGroup record remote code execution attempt"; sid:15537; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0559; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15537, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer onreadystatechange memory corruption attempt"; sid:15538; gid:3; rev:2; classtype:misc-attack; reference:cve,2009-1531; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15538;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel Formula record remote code execution attempt"; sid:15539; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0560; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15539;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE DOM memory corruption attempt"; sid:15540; gid:3; rev:2; classtype:attempted-admin; reference:cve,2009-1532; reference:url,www.microsoft.com/technet/security/bulletin/MS09-019.mspx; metadata: engine shared, soid 3|15540, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel SST record remote code execution attempt"; sid:15541; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,36042; reference:cve,2009-0561; reference:cve,2009-3037; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15541, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; sid:15542; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-1134; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15542, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DirectShow QuickTime file stsc atom parsing heap corruption attempt"; sid:15682; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1538; reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx; metadata: engine shared, soid 3|15682, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Embedded Open Type Font malformed name table overflow attempt"; sid:15693; gid:3; rev:2; classtype:attempted-user; flowbits:isset,eot.download; reference:cve,2009-0231; reference:url,www.microsoft.com/technet/security/bulletin/MS09-029.mspx; metadata: engine shared, soid 3|15693, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Embedded Open Type Font malformed name table integer overflow attempt "; sid:15694; gid:3; rev:3; classtype:attempted-user; flowbits:isset,eot.download; reference:cve,2009-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS09-029.mspx; metadata: engine shared, soid 3|15694, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Embedded Open Type Font malformed name table platform type 3 integer overflow attempt "; sid:15695; gid:3; rev:3; classtype:attempted-user; flowbits:isset,eot.download; reference:cve,2009-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS09-029.mspx; metadata: engine shared, soid 3|15695, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows AVIFile media file processing memory corruption attempt"; sid:15854; gid:3; rev:4; classtype:attempted-user; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,www.microsoft.com/technet/security/bulletin/MS09-038.mspx; metadata: engine shared, soid 3|15854, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript arguments keyword override rce attempt"; sid:15913; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-1920; reference:url,www.microsoft.com/technet/security/bulletin/MS09-045.mspx; metadata: engine shared, soid 3|15913, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media sample duration header RCE attempt"; sid:15914; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15914, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media Timecode header RCE attempt"; sid:15915; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15915, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media file name header RCE attempt"; sid:15916; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15916, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media content type header RCE attempt"; sid:15917; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15917, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media pixel aspect ratio header RCE attempt"; sid:15918; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15918, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt"; sid:15919; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|15919, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer unitialized or deleted object access attempt"; sid:16151; gid:3; rev:3; classtype:misc-activity; reference:cve,2009-2530; reference:url,www.microsoft.com/technet/security/bulletin/MS09-054.mspx; metadata: engine shared, soid 3|16151, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed WMF meta escape record memory corruption"; sid:16153; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2500; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16153;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GDI+ .NET image property parsing memory corruption"; sid:16154; gid:3; rev:2; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2009-2504; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16154;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer indexing service malformed parameters"; sid:16155; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2507; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-057.mspx; metadata: engine shared, soid 3|16155;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt"; sid:16156; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; metadata: engine shared, soid 3|16156, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed ASF voice codec memory corruption"; sid:16157; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-0555; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-051.mspx; metadata: engine shared, soid 3|16157, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed ASF codec memory corruption"; sid:16158; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2525; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-051.mspx; metadata: engine shared, soid 3|16158, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt"; sid:16169; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0076; reference:url,www.microsoft.com/technet/security/bulletin/MS09-002.mspx; metadata: engine shared, soid 3|16169, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft .NET MSIL CombineImpl suspicious usage"; sid:16183; gid:3; rev:2; classtype:attempted-user; flowbits:isset,exe.download; reference:cve,2009-0091; reference:url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx; metadata: engine shared, soid 3|16183, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft GDI+ interlaced PNG file parsing heap overflow attempt"; sid:16186; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-3126; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; metadata: engine shared, soid 3|16186, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave director file malformed lcsr block memory corruption attempt"; sid:16220; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2009-3466; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; metadata: engine shared, soid 3|16220, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave tSAC pointer overwrite attempt"; sid:16223; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2009-3464; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; metadata: engine shared, soid 3|16223, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT TRUFFLEHUNTER SFVRT-1004 attack attempt"; sid:16224; gid:3; rev:2; classtype:attempted-dos; flowbits:isset,http.mp4; metadata: engine shared, soid 3|16224;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt"; sid:16228; gid:3; rev:2; classtype:attempted-admin; flowbits:isset,http.xls; reference:cve,2009-3134; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16228, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt"; sid:16229; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3131; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16229, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows kernel-mode drivers core font parsing integer overflow attempt"; sid:16231; gid:3; rev:3; classtype:attempted-admin; reference:cve,2009-2514; reference:url,www.microsoft.com/technet/security/bulletin/MS09-065.mspx; metadata: engine shared, soid 3|16231;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word Document remote code execution attempt"; sid:16234; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-3135; reference:url,www.microsoft.com/technet/security/bulletin/MS09-068.mspx; metadata: engine shared, soid 3|16234, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel file SxView record exploit attempt"; sid:16236; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3128; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16236, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel FeatHdr BIFF record remote code execution attempt"; sid:16241; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3129; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16241, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player malformed getPropertyLate actioncode attempt"; sid:16316; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2009-3797; metadata: engine shared, soid 3|16316, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Microsoft Office Visio invalid ho tag attempt"; sid:16318; gid:3; rev:1; classtype:attempted-user; flowbits:isset,visio.request; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,www.microsoft.com/technet/security/bulletin/MS09-005; metadata: engine shared, soid 3|16318, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Safari-IE SearchPath blended threat attempt"; sid:16319; gid:3; rev:1; classtype:attempted-user; flowbits:isset,safari.dll; reference:cve,2008-2540; reference:url,www.microsoft.com/technet/security/bulletin/MS09-015.mspx; metadata: engine shared, soid 3|16319, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe PNG empty sPLT exploit attempt"; sid:16320; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-2984; metadata: engine shared, soid 3|16320, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe tiff oversized image length attempt"; sid:16321; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-2995; metadata: engine shared, soid 3|16321, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader oversized object width attempt"; sid:16322; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2980; metadata: engine shared, soid 3|16322, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe doc.export arbitrary file write attempt"; sid:16324; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2009-2993; metadata: engine shared, soid 3|16324, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer orphan DOM objects memory corruption attempt"; sid:16330; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-3674; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; metadata: engine shared, soid 3|16330;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player JPEG parsing heap overflow attempt"; sid:16331; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.swf; reference:cve,2009-3794; metadata: engine shared, soid 3|16331;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media extended stream properties object RCE attempt"; sid:16338; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.asf; reference:cve,2009-2498; reference:url,www.microsoft.com/technet/security/bulletin/ms09-047.mspx; metadata: engine shared, soid 3|16338, service http, policy balanced-ips drop, policy connectivity-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt - obfuscated"; sid:16339; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-0075; reference:url,www.microsoft.com/technet/security/bulletin/MS09-002.mspx; metadata: engine shared, soid 3|16339, service http, policy balanced-ips alert, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; sid:16342; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,www.microsoft.com/technet/security/bulletin/MS09-038.mspx; metadata: engine shared, soid 3|16342, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer invalid object access memory corruption attempt"; sid:16367; gid:3; rev:5; classtype:attempted-user; reference:cve,2010-0249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-002.mspx; metadata: engine shared, soid 3|16367, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat Reader U3D CLODMeshContinuation code execution attempt"; sid:16373; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:bugtraq,36665; reference:cve,2009-2990; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; metadata: engine shared, soid 3|16373, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer deleted object cells reference memory corruption vulnerability"; sid:16378; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0248; metadata: engine shared, soid 3|16378;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft PowerPoint improper filename remote code execution attempt"; sid:16409; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0029; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16409, service http, policy balanced-ips alert, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt"; sid:16410; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0030; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16410, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint out of bounds value remote code execution attempt"; sid:16411; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0031; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16411, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt"; sid:16412; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0033; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16412, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code execution attempt"; sid:16413; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0034; reference:url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx; metadata: engine shared, soid 3|16413;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Shell Handler remote code execution attempt"; sid:16414; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0027; reference:url,www.microsoft.com/technet/security/bulletin/MS10-007.mspx; metadata: engine shared, soid 3|16414, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Malformed XLS MSODrawing Record"; sid:16416; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0243; reference:url,www.microsoft.com/technet/security/bulletin/MS10-003.mspx; metadata: engine shared, soid 3|16416;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE7/8 execute local file in Internet zone redirect attempt"; sid:16423; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; metadata: engine shared, soid 3|16423, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ContinueFRT12 heap overflow attempt"; sid:16464; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0260; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16464, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ContinueFRT12 and MDXSet heap overflow attempt"; sid:16465; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0261; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16465, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; sid:16469; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16469, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel DbOrParamQry.fWeb parsing remote code execution attempt"; sid:16470; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16470, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel DbOrParamQry.fWeb parsing remote code execution attempt"; sid:16471; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; metadata: engine shared, soid 3|16471, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt"; sid:16482; gid:3; rev:4; classtype:attempted-user; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; metadata: engine shared, soid 3|16482, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE innerHTML against incomplete element heap corruption attempt"; sid:16506; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0490; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16506;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer onreadystatechange memory corruption attempt"; sid:16507; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0491; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16507, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE8 non-IE8 compatibility mode htmltime remote code execution attempt"; sid:16508; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0492; reference:url,www.microsoft.com/technet/security/bulletin/MS10-018.mspx; metadata: engine shared, soid 3|16508;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Media Player codec code execution attempt"; sid:16543; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.avi; reference:cve,2010-0480; reference:url,www.microsoft.com/technet/security/bulletin/MS10-026.mspx; metadata: engine shared, soid 3|16543, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader malformed Richmedia annotation exploit attempt"; sid:16545; gid:3; rev:3; classtype:attempted-admin; flowbits:isset,http.pdf; reference:cve,2010-0197; reference:cve,2010-1297; metadata: engine shared, soid 3|16545, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word Document remote code execution attempt"; sid:16586; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2009-3135; reference:url,www.microsoft.com/technet/security/bulletin/MS09-068.mspx; metadata: engine shared, soid 3|16586, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft VBE6.dll stack corruption attempt"; sid:16593; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-0815; reference:url,www.microsoft.com/technet/security/bulletin/MS10-031.mspx; metadata: engine shared, soid 3|16593, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe PDF File containing Flash use-after-free attack"; sid:16633; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2010-1297; metadata: engine shared, soid 3|16633, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash use-after-free attack"; sid:16634; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1297; metadata: engine shared, soid 3|16634, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt"; sid:16638; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0822; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16638, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro"; sid:16639; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0822; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16639, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with linkFmla"; sid:16640; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0822; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16640, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; sid:16641; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0822; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16641, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel Chart Sheet Substream memory corruption attempt"; sid:16643; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0823; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16643, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel RealTimeData record heap memory corruption attempt - 2"; sid:16647; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1247; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16647, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 1"; sid:16650; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16650;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 2"; sid:16651; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16651;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 3"; sid:16652; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16652;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 4"; sid:16653; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1249; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16653;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel undocumented Publisher record heap buffer overflow attempt"; sid:16654; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1250; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16654;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel Lbl record stack overflow attempt"; sid:16655; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1251; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16655;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel BIFF5 ExternSheet record stack overflow attempt"; sid:16656; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1252; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16656;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel DBQueryExt record memory corruption attempt"; sid:16657; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1253; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16657;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer 8 cross-site scripting attempt"; sid:16658; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1257; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; metadata: engine shared, soid 3|16658, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel FRTWrapper record buffer overflow attempt"; sid:16800; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-3471; reference:url,www.microsoft.com/technet/security/bulletin/MS08-057.mspx; metadata: engine shared, soid 3|16800, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SilverLight ImageSource redefine flowbit"; sid:17113; gid:3; rev:2; classtype:misc-activity; flowbits:set,imagesource.redefine; flowbits:noalert; metadata: engine shared, soid 3|17113;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SilverLight ImageSource remote code execution attempt"; sid:17114; gid:3; rev:1; classtype:attempted-user; flowbits:isset,imagesource.redefine; reference:cve,2010-0019; reference:url,www.microsoft.com/technet/security/bulletin/MS10-060.mspx; metadata: engine shared, soid 3|17114, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer cross domain information disclosure attempt"; sid:17115; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1258; reference:url,www.microsoft.com/technet/security/bulletin/MS10-053.mspx; metadata: engine shared, soid 3|17115;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT rich text format unexpected field type memory corruption attempt 1"; sid:17120; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1901; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; metadata: engine shared, soid 3|17120, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT rich text format unexpected field type memory corruption attempt 2"; sid:17121; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1901; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; metadata: engine shared, soid 3|17121, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT rich text format unexpected field type memory corruption attempt 3"; sid:17122; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1901; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; metadata: engine shared, soid 3|17122, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT rich text format invalid field size memory corruption attempt"; sid:17123; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-1902; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; metadata: engine shared, soid 3|17123, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word malformed table record memory corruption attempt"; sid:17124; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-1903; reference:url,www.microsoft.com/technet/security/bulletin/ms10-056.mspx; metadata: engine shared, soid 3|17124, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer use-after-free memory corruption attempt"; sid:17129; gid:3; rev:3; classtype:attempted-dos; reference:cve,2010-2556; reference:url,www.microsoft.com/technet/security/bulletin/ms10-053.mspx; metadata: engine shared, soid 3|17129;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE boundElements arbitrary code execution"; sid:17130; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,www.microsoft.com/technet/security/bulletin/ms10-053.mspx; metadata: engine shared, soid 3|17130, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE8 parent style rendering arbitrary code execution"; sid:17131; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2559; reference:url,www.microsoft.com/technet/security/bulletin/ms10-053.mspx; metadata: engine shared, soid 3|17131, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MSXML2 ActiveX malformed HTTP response"; sid:17133; gid:3; rev:2; classtype:attempted-dos; reference:cve,2010-2561; reference:url,www.microsoft.com/technet/security/bulletin/ms10-051.mspx; metadata: engine shared, soid 3|17133;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel out-of-bounds structure read memory corruption attempt"; sid:17134; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2562; reference:url,www.microsoft.com/technet/security/bulletin/ms10-057.mspx; metadata: engine shared, soid 3|17134;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file pamm record exploit attempt"; sid:17179; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17179, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file LsCM record exploit attempt"; sid:17180; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2864; metadata: engine shared, soid 3|17180, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file LsCM record exploit attempt"; sid:17181; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2864; metadata: engine shared, soid 3|17181, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file tSAC record exploit attempt"; sid:17182; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17182, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file tSAC record exploit attempt"; sid:17183; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17183, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file tSAC record exploit attempt"; sid:17184; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17184, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file rcsL record exploit attempt"; sid:17185; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17185, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file rcsL record exploit attempt"; sid:17186; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17186, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file rcsL record exploit attempt"; sid:17187; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17187, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file rcsL record exploit attempt"; sid:17188; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17188, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file rcsL record exploit attempt"; sid:17189; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2868; reference:cve,2010-2869; metadata: engine shared, soid 3|17189, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file file lRTX overflow attempt"; sid:17199; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2863; metadata: engine shared, soid 3|17199, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file LsCM overflow attempt"; sid:17200; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2864; metadata: engine shared, soid 3|17200, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file file LsCM overflow attempt"; sid:17201; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2865; metadata: engine shared, soid 3|17201, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file file Shockwave 3D overflow attempt"; sid:17202; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2866; metadata: engine shared, soid 3|17202, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file file rcsL overflow attempt"; sid:17203; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2867; metadata: engine shared, soid 3|17203, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Director file file mmap overflow attempt"; sid:17204; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.dir; reference:cve,2010-2870; metadata: engine shared, soid 3|17204, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows uniscribe fonts parsing memory corruption attempt"; sid:17256; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-2738; reference:url,www.microsoft.com/technet/security/bulletin/MS10-063.mspx; metadata: engine shared, soid 3|17256, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt"; sid:17462; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-0554; reference:url,www.microsoft.com/technet/security/bulletin/ms09-014.mspx; metadata: engine shared, soid 3|17462, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed formula parsing code execution attempt"; sid:17655; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:bugtraq,28167; reference:cve,2008-0115; reference:url,www.microsoft.com/technet/security/bulletin/MS08-014.mspx; metadata: engine shared, soid 3|17655, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt"; sid:17688; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; metadata: engine shared, soid 3|17688, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt"; sid:17689; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; metadata: engine shared, soid 3|17689, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer ExecWB security zone bypass attempt"; sid:17692; gid:3; rev:1; classtype:attempted-user; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,www.microsoft.com/technet/security/bulletin/MS08-045.mspx; metadata: engine shared, soid 3|17692, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows AVI file chunk length integer overflow attempt"; sid:17694; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.avi; reference:bugtraq,35970; reference:cve,2009-1546; metadata: engine shared, soid 3|17694, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint paragraph format array inner header overflow attempt"; sid:17695; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.ppt; reference:bugtraq,34833; reference:cve,2009-0220; metadata: engine shared, soid 3|17695, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer EMBED element memory corruption attempt"; sid:17709; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-014.mspx; metadata: engine shared, soid 3|17709, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt"; sid:17720; gid:3; rev:2; classtype:attempted-user; reference:cve,2008-2255; reference:url,www.microsoft.com/technet/security/bulletin/MS08-045.mspx; metadata: engine shared, soid 3|17720, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word XP PLFLSInTableStream heap overflow attempt"; sid:17756; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3220; reference:url,www.microsoft.com/technet/security/bulletin/MS10-079.mspx; metadata: engine shared, soid 3|17756, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel CrErr record integer overflow attempt"; sid:17757; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3230; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17757, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel invalid SerAr object exploit attempt"; sid:17759; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3239; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17759, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Excel PtgName invalid index exploit attempt"; sid:17764; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3235; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17764, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt"; sid:18062; gid:3; rev:4; classtype:attempted-user; reference:cve,2010-3962; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18062, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint integer underflow heap corruption attempt"; sid:18066; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2010-2573; reference:url,www.microsoft.com/technet/security/bulletin/MS10-088; metadata: engine shared, soid 3|18066, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office RTF parsing remote code execution attempt"; sid:18067; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3333; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087; metadata: engine shared, soid 3|18067, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Art drawing invalid shape identifier attempt"; sid:18069; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3336; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; metadata: engine shared, soid 3|18069, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Office pptimpconv.dll dll-load exploit attempt"; sid:18071; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3337; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; metadata: engine shared, soid 3|18071;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT Forefront UAG URL XSS attempt"; sid:18074; gid:3; rev:1; classtype:attempted-admin; reference:cve,2010-2734; reference:url,www.microsoft.com/technet/security/bulletin/MS10-089.mspx; metadata: engine shared, soid 3|18074, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT Forefront UAG URL XSS alternate attempt"; sid:18076; gid:3; rev:1; classtype:attempted-admin; reference:cve,2010-3936; reference:url,www.microsoft.com/technet/security/bulletin/MS10-089.mspx; metadata: engine shared, soid 3|18076, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader invalid PDF JavaScript extension call"; sid:18102; gid:3; rev:3; classtype:attempted-admin; flowbits:isset,http.pdf; reference:cve,2010-4091; reference:url,www.adobe.com/support/security/bulletins/apsb10-28.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18102, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows Address Book smmscrpt.dll malicious DLL load"; sid:18202; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3144; reference:url,www.microsoft.com/technet/security/bulletin/MS10-097.mspx; metadata: engine shared, soid 3|18202, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows Address Book wab32res.dll malicious DLL load"; sid:18204; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3147; reference:url,www.microsoft.com/technet/security/bulletin/MS10-096.mspx; metadata: engine shared, soid 3|18204, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows Address Book msoeres32.dll malicious DLL load"; sid:18205; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3147; reference:url,www.microsoft.com/technet/security/bulletin/MS10-096.mspx; metadata: engine shared, soid 3|18205, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows 7 Home peerdist.dll dll-load exploit attempt"; sid:18208; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3966; reference:url,www.microsoft.com/technet/security/bulletin/MS10-095.mspx; metadata: engine shared, soid 3|18208;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt"; sid:18210; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3967; reference:url,www.microsoft.com/technet/security/bulletin/MS10-093.mspx; metadata: engine shared, soid 3|18210, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer 6 #default#anim attempt"; sid:18216; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3343; reference:url,www.microsoft.com/technet/security/bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18216, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer select element memory corruption attempt"; sid:18217; gid:3; rev:3; classtype:attempted-user; reference:bugtraq,45260; reference:cve,2010-3345; metadata: engine shared, soid 3|18217;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows ATMFD font driver remote code execution attempt"; sid:18219; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3957; reference:url,www.microsoft.com/technet/security/bulletin/MS10-091.mspx; metadata: engine shared, soid 3|18219, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt"; sid:18220; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3959; reference:url,www.microsoft.com/technet/security/bulletin/MS10-091.mspx; metadata: engine shared, soid 3|18220, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer malformed table remote code execution attempt"; sid:18221; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-3962; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-090.mspx; metadata: engine shared, soid 3|18221;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt"; sid:18222; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3965; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-094.mspx; metadata: engine shared, soid 3|18222;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt"; sid:18223; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3965; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-094.mspx; metadata: engine shared, soid 3|18223;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt"; sid:18224; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3965; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-094.mspx; metadata: engine shared, soid 3|18224;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Publisher oversized oti length attempt"; sid:18231; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.pub; reference:cve,2010-3955; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; metadata: engine shared, soid 3|18231, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Publisher Adobe Font Driver code execution attempt"; sid:18233; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.otf; reference:cve,2010-3956; reference:url,www.microsoft.com/technet/security/bulletin/MS10-091.mspx; metadata: engine shared, soid 3|18233, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office PICT graphics converter memory corruption attempt"; sid:18235; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pct; reference:cve,2010-3946; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18235, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Flashpix graphics filter fpx32.flt remote code execution attempt"; sid:18237; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3951; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; metadata: engine shared, soid 3|18237, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Vista Backup Tool fveapi.dll dll-load exploit attempt"; sid:18277; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3145; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-001.mspx; metadata: engine shared, soid 3|18277;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE oversize recordset object cache size exploit attempt"; sid:18280; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0027; reference:url,www.microsoft.com/technet/security/bulletin/MS11-002.mspx; metadata: engine shared, soid 3|18280, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt"; sid:18297; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2746; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-081.mspx; metadata: engine shared, soid 3|18297, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; sid:18398; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3970; reference:url,www.microsoft.com/technet/security/bulletin/MS11-006.mspx; metadata: engine shared, soid 3|18398, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Internet Explorer Base64 encoded script overflow attempt"; sid:18401; gid:3; rev:2; classtype:attempted-admin; reference:cve,2010-0031; reference:url,www.microsoft.com/technet/security/bulletin/MS11-009.mspx; metadata: engine shared, soid 3|18401, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer datasrc overflow attempt"; sid:18403; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0035; reference:url,www.microsoft.com/technet/security/bulletin/MS11-003.mspx; metadata: engine shared, soid 3|18403;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE document.insertBefore memory corruption attempt"; sid:18404; gid:3; rev:1; classtype:attempted-admin; reference:cve,2011-0036; reference:url,www.microsoft.com/technet/security/bulletin/MS11-003.mspx; metadata: engine shared, soid 3|18404, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe field flags exploit attempt"; sid:18419; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0589; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18419;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin sqlite.dll dll-load exploit attempt"; sid:18431; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18431;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader d3dref9.dll dll-load exploit attempt"; sid:18432; gid:3; rev:4; classtype:attempted-user; reference:cve,2011-0588; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18432;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin ace.dll dll-load exploit attempt"; sid:18439; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18439;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin agm.dll dll-load exploit attempt"; sid:18440; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18440;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin bibutils.dll dll-load exploit attempt"; sid:18441; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18441;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin cooltype.dll dll-load exploit attempt"; sid:18442; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18442;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt"; sid:18443; gid:3; rev:5; classtype:attempted-user; reference:cve,2011-0570; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18443;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Acrobat Flash Player nvapi.dll dll-load exploit attempt"; sid:18445; gid:3; rev:4; classtype:attempted-user; reference:cve,2011-0575; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; metadata: engine shared, soid 3|18445;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat XML entity escape attempt"; sid:18456; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0604; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18456, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Remote Desktop Connection .dll dll-load exploit attempt"; sid:18495; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-0029; reference:url,www.microsoft.com/technet/security/bulletin/MS11-017.mspx; metadata: engine shared, soid 3|18495;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows Media Player ehtrace.dll dll-load exploit attempt"; sid:18496; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0032; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-015.mspx; metadata: engine shared, soid 3|18496;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Groove mso.dll dll-load exploit attempt"; sid:18499; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-3146; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-016.mspx; metadata: engine shared, soid 3|18499;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader CCITT stream compression filter invalid image size heap overflow attempt"; sid:18506; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2011-0567; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18506;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader CCITT stream compression filter invalid image size heap overflow attempt"; sid:18507; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.pdf; reference:cve,2011-0567; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; metadata: engine shared, soid 3|18507;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT MFC applications mfc40.dll dll-load exploit attempt"; sid:18619; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3190; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-025.mspx; metadata: engine shared, soid 3|18619;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT MFC applications mfc42.dll dll-load exploit attempt"; sid:18620; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3190; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-025.mspx; metadata: engine shared, soid 3|18620;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT MFC applications mfc80.dll dll-load exploit attempt"; sid:18621; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3190; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-025.mspx; metadata: engine shared, soid 3|18621;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT MFC applications mfc90.dll dll-load exploit attempt"; sid:18622; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3190; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-025.mspx; metadata: engine shared, soid 3|18622;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT MFC applications mfc100.dll dll-load exploit attempt"; sid:18623; gid:3; rev:1; classtype:attempted-user; reference:cve,2010-3190; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-025.mspx; metadata: engine shared, soid 3|18623;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt"; sid:18630; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0097; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18630, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt"; sid:18631; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0097; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18631, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed Label record exploit attempt"; sid:18632; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0098; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18632, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel RealTimeData record memory corruption attempt"; sid:18633; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0101; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18633;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel Workspace file FontCount record memory corruption attempt"; sid:18634; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xlw; reference:cve,2011-0103; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18634, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed SupBook record attempt"; sid:18640; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0979; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18640;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Word .dll dll-load exploit attempt"; sid:18647; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-0107; reference:url,www.microsoft.com/technet/security/bulletin/MS11-023.mspx; metadata: engine shared, soid 3|18647;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT cross-domain object mainpulation attempt"; sid:18669; gid:3; rev:1; classtype:web-application-activity; reference:cve,2011-1245; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-018.mspx; metadata: engine shared, soid 3|18669;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object management memory corruption attempt"; sid:18670; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-1345; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-018.mspx; metadata: engine shared, soid 3|18670, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object management memory corruption attempt"; sid:18671; gid:3; rev:1; classtype:attempted-user; reference:cve,2011-1345; reference:url,www.microsoft.com/technet/security/Bulletin/MS11-018.mspx; metadata: engine shared, soid 3|18671, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt"; sid:17647; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.swf; reference:bugtraq,28695; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; metadata: engine shared, soid 3|17647, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt"; sid:16649; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-1248; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16649, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel SxView heap overflow attempt"; sid:16662; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-0821; reference:url,www.microsoft.com/technet/security/bulletin/MS10-038.mspx; metadata: engine shared, soid 3|16662, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenType Font file parsing buffer overflow attempt"; sid:17765; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.otf; reference:cve,2010-2740; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-078.mspx; metadata: engine shared, soid 3|17765, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed MergeCells record exploit attempt"; sid:17761; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3237; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17761, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt"; sid:17762; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2010-3232; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; metadata: engine shared, soid 3|17762, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt"; sid:18063; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2010-3334; reference:url,www.microsoft.com/technet/security/bulletin/MS10-087.mspx; metadata: engine shared, soid 3|18063, service http, policy balanced-ips drop, policy security-ips alert;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt"; sid:18676; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2011-0105; reference:url,www.microsoft.com/technet/security/bulletin/MS11-021.mspx; metadata: engine shared, soid 3|18676, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt"; sid:18673; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.cov; reference:cve,2010-3974; reference:url,www.microsoft.com/technet/security/bulletin/MS11-024.mspx; metadata: engine shared, soid 3|18673, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt"; sid:18949; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2011-1270; reference:url,www.microsoft.com/technet/security/bulletin/MS11-036.mspx; metadata: engine shared, soid 3|18949;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Visio could allow remote code execution"; sid:15298; gid:3; rev:3; classtype:attempted-user; flowbits:isset,visio.request; reference:cve,2009-0097; reference:url,www.microsoft.com/technet/security/bulletin/MS09-005.mspx; metadata: engine shared, soid 3|15298, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt"; sid:13879; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3020; reference:url,www.microsoft.com/technet/security/Bulletin/ms08-044.mspx; reference:cve,2009-2518; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-062.mspx; metadata: engine shared, soid 3|13879, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt"; sid:13947; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3018; reference:url,www.microsoft.com/technet/security/bulletin/ms08-044.mspx; metadata: engine shared, soid 3|13947, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt"; sid:13946; gid:3; rev:5; classtype:attempted-user; reference:cve,2008-3021; reference:url,www.microsoft.com/technet/security/bulletin/ms08-044.mspx; metadata: engine shared, soid 3|13946, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt"; sid:13958; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3460; reference:url,www.microsoft.com/technet/security/bulletin/ms08-044.mspx; metadata: engine shared, soid 3|13958;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word ole stream memory corruption attempt"; sid:13469; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2008-0109; reference:url,www.microsoft.com/technet/security/bulletin/ms08-009.mspx; metadata: engine shared, soid 3|13469;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft GDI emf filename buffer overflow attempt"; sid:13676; gid:3; rev:4; classtype:attempted-user; flowbits:isset,emf.request; reference:cve,2008-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-021.mspx; metadata: engine shared, soid 3|13676, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft GDI integer overflow attempt"; sid:13666; gid:3; rev:5; classtype:attempted-user; flowbits:isset,emf.request; reference:cve,2008-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS08-021.mspx; metadata: engine shared, soid 3|13666, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt"; sid:13582; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-0116; reference:url,www.microsoft.com/technet/security/bulletin/MS08-014.mspx; metadata: engine shared, soid 3|13582;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt"; sid:13969; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2008-0121; reference:url,www.microsoft.com/technet/security/bulletin/ms08-051.mspx; metadata: engine shared, soid 3|13969, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF control word overflow attempt"; sid:13803; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.rtf; reference:cve,2008-1091; reference:url,www.microsoft.com/technet/security/bulletin/ms08-026.mspx; metadata: engine shared, soid 3|13803, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word malformed css remote code execution attempt"; sid:13790; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.doc; reference:cve,2008-1434; reference:url,www.microsoft.com/technet/security/bulletin/MS08-026.mspx; metadata: engine shared, soid 3|13790, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft malware protection engine denial of service attempt"; sid:13798; gid:3; rev:3; classtype:attempted-dos; flowbits:isset,download.pecompact.binary; reference:cve,2008-1437; reference:url,www.microsoft.com/technet/security/bulletin/MS08-029.mspx; metadata: engine shared, soid 3|13798, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft malware protection engine denial of service attempt"; sid:13802; gid:3; rev:2; classtype:attempted-dos; reference:cve,2008-1438; reference:url,www.microsoft.com/technet/security/bulletin/MS08-029.mspx; metadata: engine shared, soid 3|13802, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt"; sid:13954; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-2245; reference:url,www.microsoft.com/technet/security/bulletin/ms08-046.mspx; metadata: engine shared, soid 3|13954, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt"; sid:15117; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-4264; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-074.mspx; metadata: engine shared, soid 3|15117, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft GDI EMF malformed file buffer overflow attempt"; sid:14259; gid:3; rev:3; classtype:attempted-user; reference:cve,2008-3012; reference:url,www.microsoft.com/technet/security/bulletin/MS08-052.mspx; metadata: engine shared, soid 3|14259, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GDI+ GIF image invalid number of extension blocks buffer overflow attempt"; sid:14260; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-3013; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-052.mspx; metadata: engine shared, soid 3|14260, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel rept integer underflow attempt"; sid:14655; gid:3; rev:5; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2008-4019; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-057.mspx; metadata: engine shared, soid 3|14655, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt"; sid:15125; gid:3; rev:4; classtype:attempted-user; reference:cve,2008-4030; reference:url,www.microsoft.com/technet/security/bulleting/MS08-072.mspx; metadata: engine shared, soid 3|15125, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt"; sid:15300; gid:3; rev:3; classtype:attempted-user; flowbits:isset,emf.request; reference:cve,2009-0081; reference:url,www.microsoft.com/technet/security/bulletin/ms09-006.mspx; metadata: engine shared, soid 3|15300, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt"; sid:15498; gid:3; rev:3; classtype:attempted-admin; flowbits:isset,http.ppt; reference:cve,2009-1128; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15498, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt"; sid:15454; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.ppt; reference:cve,2009-0556; reference:url,www.microsoft.com/technet/security/bulletin/MS09-017.mspx; metadata: engine shared, soid 3|15454, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt"; sid:15365; gid:3; rev:6; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0238; reference:url,www.microsoft.com/technet/security/bulletin/MS09-009.mspx; metadata: engine shared, soid 3|15365, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt"; sid:15465; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0100; reference:url,www.microsoft.com/technet/security/bulletin/MS09-009.mspx; metadata: engine shared, soid 3|15465, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt"; sid:15519; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0549; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15519, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt"; sid:15521; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0558; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15521, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office Excel FtCbls remote code execution attempt"; sid:15520; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-0557; reference:url,www.microsoft.com/technet/security/bulletin/MS09-021.mspx; metadata: engine shared, soid 3|15520, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows TrueType font file parsing integer overflow attempt"; sid:16232; gid:3; rev:2; classtype:attempted-admin; flowbits:isset,http.ttf; reference:cve,2009-2514; reference:url,www.microsoft.com/technet/security/bulletin/MS09-065.mspx; metadata: engine shared, soid 3|16232, service http, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows AVIFile media file invalid header length"; sid:15857; gid:3; rev:2; classtype:attempted-user; reference:cve,2009-1546; reference:url,www.microsoft.com/technet/security/bulletin/MS09-038.mspx; metadata: engine shared, soid 3|15857, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt"; sid:16230; gid:3; rev:2; classtype:attempted-user; flowbits:isset,http.xls; reference:cve,2009-3131; reference:url,www.microsoft.com/technet/security/bulletin/MS09-067.mspx; metadata: engine shared, soid 3|16230, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt"; sid:15920; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.mp3; reference:cve,2009-2499; reference:url,www.microsoft.com/technet/security/bulletin/MS09-047.mspx; metadata: engine shared, soid 3|15920, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt"; sid:17242; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.wmv; flowbits:isset,http.wma; flowbits:isset,http.asf; reference:cve,2010-0818; reference:url,www.microsoft.com/technet/security/bulletin/MS10-062.mspx; metadata: engine shared, soid 3|17242, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Movie Maker project file heap buffer overflow attempt"; sid:16472; gid:3; rev:4; classtype:attempted-user; flowbits:isset,http.mswmm; flowbits:isset,http.msproducer; flowbits:isset,http.oless.v3; flowbits:isset,http.oless.v4; reference:cve,2010-0265; reference:url,www.microsoft.com/technet/security/bulletin/MS10-016.mspx; metadata: engine shared, soid 3|16472, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft DirectShow memory corruption attempt"; sid:16415; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-0250; reference:url,www.microsoft.com/technet/security/bulletin/MS10-013.mspx; metadata: engine shared, soid 3|16415, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CAB SIP authenticode alteration attempt"; sid:16530; gid:3; rev:4; classtype:attempted-user; reference:cve,2010-0487; reference:url,www.microsoft.com/technet/security/bulletin/MS10-019.mspx; metadata: engine shared, soid 3|16530, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng malformed chunk denial of service attempt"; sid:14772; gid:3; rev:3; classtype:attempted-dos; reference:cve,2007-5269; metadata: engine shared, soid 3|14772, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated header in PDF"; sid:16343; gid:3; rev:5; classtype:misc-activity; flowbits:isset,http.pdf; reference:url,www.adobe.com/devnet/acrobat/pdfs/PDF32000_2008.pdf; metadata: engine shared, soid 3|16343, service http, policy security-ips drop, policy balanced-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt"; sid:17665; gid:3; rev:3; classtype:attempted-user; flowbits:isset,http.doc; reference:bugtraq,36200; reference:cve,2009-0200; reference:cve,2009-0201; metadata: engine shared, soid 3|17665, service http, policy security-ips drop, policy balanced-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt"; sid:15975; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,25690; reference:cve,2007-2834; metadata: engine shared, soid 3|15975, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt"; sid:15976; gid:3; rev:2; classtype:attempted-user; reference:bugtraq,25690; reference:cve,2007-2834; metadata: engine shared, soid 3|15976, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt"; sid:17608; gid:3; rev:1; classtype:attempted-user; flowbits:isset,http.quicktime; reference:bugtraq,26338; reference:cve,2007-4677; metadata: engine shared, soid 3|17608, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt"; sid:17700; gid:3; rev:1; classtype:attempted-user; flowbits:isset,wav_file.request; reference:bugtraq,12697; reference:cve,2005-0611; metadata: engine shared, soid 3|17700, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Winamp MAKI parsing integer overflow attempt"; sid:15433; gid:3; rev:3; classtype:attempted-user; flowbits:isset,maki_file.request; reference:bugtraq,35052; reference:cve,2009-1831; metadata: engine shared, soid 3|15433, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13476; gid:3; rev:5; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13922; gid:3; rev:5; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13922;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS ADFS custom header arbitrary code execution attempt"; sid:16312; gid:3; rev:1; classtype:attempted-admin; reference:cve,2009-2509; reference:url,www.microsoft.com/technet/security/bulletin/MS09-070.mspx; metadata: engine shared, soid 3|16312, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability"; sid:13308; gid:3; rev:7; classtype:attempted-user; reference:cve,2006-0150; reference:bugtraq,16177; metadata: engine shared, soid 3|13308, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt"; sid:15470; gid:3; rev:1; classtype:attempted-user; flowbits:isset,asp.upload; reference:cve,2008-1436; reference:cve,2009-0078; reference:cve,2009-0079; reference:cve,2009-0080; reference:url,www.microsoft.com/technet/security/bulletin/MS09-012.mspx; metadata: engine shared, soid 3|15470, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt"; sid:15683; gid:3; rev:3; classtype:attempted-user; reference:cve,2009-1135; reference:url,www.microsoft.com/technet/security/bulletin/MS09-031.mspx; metadata: engine shared, soid 3|15683, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Adobe Flash PlugIn check if file exists attempt"; sid:16315; gid:3; rev:1; classtype:misc-activity; reference:cve,2009-3951; metadata: engine shared, soid 3|16315, service http;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft Sharepoint XSS attempt"; sid:16560; gid:3; rev:3; classtype:attempted-user; reference:cve,2010-0817; reference:url,www.microsoft.com/technet/security/bulletin/MS10-039.mspx; metadata: engine shared, soid 3|16560, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt"; sid:17041; gid:3; rev:1; classtype:attempted-user; reference:cve,2009-1135; reference:url,www.microsoft.com/technet/security/bulletin/MS09-031.mspx; metadata: engine shared, soid 3|17041, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS stack exhaustion DoS attempt"; sid:17254; gid:3; rev:1; classtype:attempted-dos; reference:cve,2010-1899; reference:url,www.microsoft.com/technet/security/bulletin/MS10-065.mspx; metadata: engine shared, soid 3|17254, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft Forefront UAG external redirect attempt"; sid:18072; gid:3; rev:2; classtype:policy-violation; reference:cve,2010-2732; reference:url,www.microsoft.com/technet/security/bulletin/MS10-089.mspx; metadata: engine shared, soid 3|18072;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft Forefront UAG arbitrary embedded scripting attempt"; sid:18073; gid:3; rev:2; classtype:attempted-user; reference:cve,2010-2733; reference:url,www.microsoft.com/technet/security/bulletin/MS10-089.mspx; metadata: engine shared, soid 3|18073, policy security-ips drop;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC Microsoft ASP.NET information disclosure attempt"; sid:17428; gid:3; rev:3; classtype:misc-activity; detection_filter:track by_src, count 100, seconds 30; reference:cve,2010-3332; reference:url,www.microsoft.com/technet/security/bulletin/MS10-070.mspx; metadata: engine shared, soid 3|17428, service http, policy balanced-ips drop, policy security-ips drop;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC Microsoft ASP.NET information disclosure attempt"; sid:17429; gid:3; rev:3; classtype:misc-activity; detection_filter:track by_src, count 100, seconds 30; reference:cve,2010-3332; reference:url,www.microsoft.com/technet/security/bulletin/MS10-070.mspx; metadata: engine shared, soid 3|17429, service http, policy balanced-ips drop, policy security-ips drop;)
