#
# $Id: bleeding-exploit.rules $
# Bleeding Edge Threats exploit rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.bleedingthreats.net
#
# Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2007, Bleeding Edge Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; classtype:attempted-admin; sid:2001217; rev:7; )

#From Bdoctor
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg: "BLEEDING-EDGE EXPLOIT Arkeia full remote access without password or authentication"; flow: from_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; classtype: attempted-admin; sid: 2001742; rev:6; )

#Matt Jonkman and Frank Knobbe
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001667; rev:7; )

#by Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg: "BLEEDING-EDGE EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; classtype:web-application-attack; sid:2002791; rev:2;) 

#Blake Hartstein of Demarc
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; classtype:attempted-admin; sid:2003369; rev:1; )

#by Shirkdog
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3248; sid:2003370; rev:1; )

#by Shirkdog
alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"BLEEDING-EDGE EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3244 ; sid:2003378; rev:1; )

#Also by Shirkdog
alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"BLEEDING-EDGE EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; classtype:attempted-dos; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; sid:2003379; rev:1;)

#another from Shirkdog
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3604; sid:2003518; rev:1;)

#by shirkdog as well
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3939; sid:2003750; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url, www.milw0rm.com/exploits/3940; sid:2003751; rev:1;)

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"filediff|3f|f="; nocase; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; classtype:web-application-attack; sid:2002697; rev:4;)

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000048; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000031; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000049; rev:3; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco %u IDS evasion"; flow: to_server,established; uricontent:"%u002F"; classtype: attempted-dos; sid: 2000012; rev:6; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET 22 (msg: "BLEEDING-EDGE EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype: attempted-dos; sid: 2000007; rev:4; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP server DoS"; flow: to_server,established; uricontent:"/TEST?/"; classtype: attempted-dos; sid: 2000013; rev:6; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP DoS"; flow: to_server,established; uricontent:"/error?/"; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype: attempted-dos; sid: 2000009; rev:7; )

#by Shirkdog
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; depth:4; nocase; uricontent:"/jmx-console/HtmlAdaptor"; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; classtype:attempted-admin; sid:2003064; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; classtype: attempted-admin; sid:2003065; rev:2;)

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000005; rev:4; )

#by Blake Hartstein at Demarc
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"BLEEDING-EDGE EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; classtype:attempted-user; sid:2003039; rev:2; )

#By Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002315; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|";  distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002316; rev:3;)

# Submitted by Evgeny Pinchuk, optimized by Joel Esler
#alert tcp any any -> any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP)"; flow: to_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001915; rev:4; )
#alert tcp any 5060 -> any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP)"; flow: from_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001916; rev:4; )
#alert udp any any -> any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001917; rev:4; )
#alert udp any 5060 -> any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001918; rev:4; )

#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible UTF-8 encoded Shellcode Detected";flow:from_server,established;pcre:"/(%U([0-9a-f]{2})){6}/i";classtype:trojan-activity;sid:2003173; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible UTF-16 encoded Shellcode Detected";flow:from_server,established;pcre:"/(%U([0-9a-f]{4})){6}/i";classtype:trojan-activity;sid:2003174; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; uricontent:"_SERVER[REMOTE_ADDR]="; nocase; reference:bugtraq,15609; classtype: web-application-attack; sid:2002703; rev:2; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; depth:4; nocase; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; classtype:web-application-attack; sid:2003332; rev:1;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; flowbits:set,ftp.user.login; flowbits:noalert; classtype:not-suspicious; sid:2002850; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP HP-UX LIST command without login"; flow:established,to_server; content:"LIST "; nocase; flowbits:isnotset,ftp.user.login; reference:cve,2005-3296; reference:bugtraq,15138; classtype:attempted-recon; sid:2002851; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"BLEEDING-EDGE EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; within:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-user; sid:2002852; rev:2; )


#This set is a consolidation of all IE exploits. Too many to keep separate...
#Submitted by Joseph Gama
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer URL parsing vulnerability"; flow: from_server,established; content:"location.href"; nocase; pcre:"/location\.href[\s]*=[\s]*unescape[\s]*\([\s]*['"]%01@['"]/iU"; reference:url,www.securityfocus.com/archive/1/346948; classtype: misc-activity; sid: 2001094; rev:6; )
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Object Data Remote Execution Vulnerability"; flow: from_server,established; content:"<object"; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; reference:url,www.securityfocus.com/bid/8456/solution/; reference:cve,2003-0532; classtype:misc-activity; sid: 2001097; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype: misc-attack; sid: 2001099; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype: misc-attack; sid: 2001101; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; sid: 2001102; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to access SHELL\:"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; classtype: misc-attack; sid: 2001103; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001105; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001106; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; classtype: misc-activity; sid: 2001048; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; classtype: misc-attack; sid: 2001181; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; classtype: misc-attack; sid: 2001182; rev:5; )

#Submitted by Matt Jonkman
alert tcp any $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; flow: from_server,established; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; classtype: misc-attack; sid: 2001401; rev:13; )

#Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IFRAME ExecCommand vulnerability"; flow: from_server,established; content:"<IFRAME "; nocase; pcre:"/^[^>]*SRC[\s]*=[\s]*["']*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:6; )

#Submitted by Chris Keladis
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference:url,www.guninski.com/popspoof.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; reference:cve,2001-1410; classtype:trojan-activity; sid: 2001813; rev:7;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution"; flow:established,from_server; content:"document.getElementById"; content:"createTextRange"; nocase; distance:3; within:50; pcre:"/=\s*document\.getElementById.{0,30}?createTextRange/smi"; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; sid:2002860; rev:3; )

#by Blake Hartstein of Demarc
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access"; flow:established,from_server; content:"CLSID"; nocase; content:"6DA9275C-64E5-42A1-879C-D90B5F0DC5B4"; distance:0; within:50; content:"createPKCS10"; nocase; distance:0; reference:cve,2006-1172; reference:bugtraq,17852; classtype:web-application-activity; sid:2002909; rev:2; )

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/<[a-z][^>]+on[^>]+[^a-z_]window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:6; )

#by Andre Ludwig from MOBB
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; classtype:web-application-activity; sid:2003023; rev:3;)
#hdm claims this is not exploitable using clsid route, and thus it is turned off by default
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT IE StructuredGraphicsControl SourceURL Bug MoBB#6 CLSID"; flow:from_server,established; content:"CLSID"; nocase; content:"369303C2-D7AC-11D0-89D5-00A0C90833E6"; nocase; distance:0; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; classtype:web-application-activity; sid:2003024; rev:2;)

# Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".Spline|28|"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; classtype:attempted-user; sid:2003102; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; classtype:attempted-user; sid:2003103; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".KeyFrame|28|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; classtype:attempted-user; sid:2003104; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; classtype:attempted-user; sid:2003105; rev:3;)

# Submitted 2006-09-19 by Chris Harrington, updated 1/10/07 by Christian Siefert
#Commenting out by default. Major threat has passed
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit"; flow:established,from_server; content:"xmlns"; nocase; content:"schemas-microsoft-com"; nocase; distance:0; content:"vml"; nocase; distance:0; pcre:"/\x3chtml\s*xmlns\x3a[\d\w]+\s*=\s*\x22\s*urn\x3aschemas-microsoft-com\x3avml\s*\x22\s*\x3e/i"; reference:url,osvdb.org/31250; reference:bugtraq,21930; reference:cve,2007-0024; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; reference:cve,2006-4868; classtype:misc-attack; sid:2003106; rev:3;)

# Submitted 2006-09-23 by Nate Bolam
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow"; flow:established,to_client; content:"|3a|fill"; nocase; content:"method"; nocase; distance:0; pcre:"/method\s*=\s*['"]+[^'"]{256}/smi"; pcre:"/\x3a(rect|roundrect|line|polyline|oval|image|arc|curve)/is"; reference:cve,2006-4868; reference:bugtraq,20096; classtype:attempted-user; sid:2003109; rev:4;)

#by Chris Byrd, updated by Christian Siefert 2/5/07
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url, riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; classtype:attempted-user; sid:2003110; rev:2;) 

# Submitted 2006-11-01 by Frank Knobbe
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:2003158; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; classtype:attempted-user; sid:2003159; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; classtype:attempted-user; sid:2003160; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; classtype:attempted-user; sid:2003161; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; classtype:attempted-user; sid:2003162; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; classtype:attempted-user; sid:2003163; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Business Object Factory object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; classtype:attempted-user; sid:2003164; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F033-0000-0000-C000-000000000046"; nocase; classtype:attempted-user; sid:2003165; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Outlook.Application object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F03A-0000-0000-C000-000000000046"; nocase; classtype:attempted-user; sid:2003166; rev:1;)


#Next 11 by Christian Siefert
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow - MOBB 27" ; flow:from_server,established; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; nocase; content:"RGBExtraColor"; nocase; reference:url,osvdb.org/27530; reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003225; rev:1;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow (2) - MOBB 27" ; flow:from_server,established; content:"DXImageTransform.Microsoft.NDFXArtEffects.1"; nocase; content:"RGBForeColor"; nocase; reference:url,osvdb.org/27530; reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003226; rev:1;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow (3) - MOBB 27" ; flow:from_server,established; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; nocase; content:"RGBForeColor"; nocase; reference:url,osvdb.org/27530; reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003227; rev:1;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow (4) - MOBB 27" ; flow:from_server,established; content:"DXImageTransform.Microsoft.NDFXArtEffects.1"; nocase; content:"RGBBackColor"; nocase; reference:url,osvdb.org/27530; reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003228; rev:1;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow (5) - MOBB 27" ; flow:from_server,established; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; nocase; content:"RGBBackColor"; nocase; reference:url,osvdb.org/27530; reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003229; rev:1;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE NDFXArtEffects Multiple Property Overflow (6) - MOBB 27"; flow:from_server,established; content:"DXImageTransform.Microsoft.NDFXArtEffects.1"; nocase; content:"RGBExtraColor"; nocase; reference:url,osvdb.org/27530;reference:url,browserfun.blogspot.com/2006/07/mobb-27-ndfxarteffects-rgbextracolor.html; reference:cve,2006-3943; classtype:attempted-user; sid:2003235; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft IE FTP URL Arbitrary Command Injection" ; flow:from_server,established; content:"ftp\://"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; classtype:attempted-user; sid:2003230; rev:1;)

#Updated by Christian Siefert 2/5/07
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution" ; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; sid:2003231; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)" ; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; sid:2003232; rev:2;)

#Updated by Christian Siefert, 2/5/07
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution" ; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; sid:2003233; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)" ; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; sid:2003234; rev:2;)

# steven@securityzone
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; classtype:attempted-user; sid:2003514; rev:1;)

#By Shirkdog and Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/g"; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; classtype:attempted-user; sid:2003329; rev:1; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype: bad-unknown; sid: 2001022; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: bad-unknown; sid: 2001023; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: bad-unknown; sid: 2001024; rev:3; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/jammail.pl?"; nocase; pcre:"/(mail=\|.+\|)/"; reference:bugtraq,13937; classtype: web-application-attack; sid: 2001990; rev:3; )

# Submitted by Joel Ebrahimi
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Kali Tagboard Command Execution Attempt"; flow: to_server,established; uricontent:"/banned.php"; uricontent:"cmd="; classtype: web-application-attack; sid: 2001883; rev:3;)

#
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; sid: 2000046; rev:5; )

#
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; classtype: misc-activity; sid: 2000033; rev:5; )

#Submitted by Joseph Gama
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001190; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Width exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001191; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001192; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; content:"sPLT"; isdataat: 80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001195; rev:5; )

#Submitted by Joe Stewart
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; classtype:attempted-admin; sid: 2001058; rev:6; )

#by Blake Hartstein
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; uricontent:"/Security.tri"; nocase; content:"SecurityMode=0"; nocase; classtype:attempted-admin; reference:url,secunia.com/advisories/21372/; sid:2003072; rev:1;) 

# From Syke@mantissecurity.net
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow"; flow: to_client, established; content:"DCC SEND "; nocase; isdataat: 100, relative; reference:bugtraq,8880; classtype: attempted-dos; sid: 2000329; rev:6; )

#by Mat Rowley of esoft
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; classtype:not-suspicious; sid:2003206; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Quicktime .mov File with embedded Javascript"; flow:established,from_server; flowbits:isset,BE.movuri; pcre:"/A<[^>]*javascript\:.*>T<.*>/im"; classtype:attempted-admin; sid:2003207; rev:3;)

#Joe Stewart
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; classtype:attempted-admin; sid: 2001944; rev:3; )

#Submitted by Chris Norton and Woofz
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype: shellcode-detect; sid: 2001369; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001363; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001364; rev:5; )

#From Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little;classtype: misc-activity; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; sid: 2001374; rev:6; )

#By Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little;classtype: misc-attack; sid: 2001668; rev:4; )

#By Shirkdog, tweaks by Dale Handy
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT MS05-005 Office XP .doc Remote Code Attempt"; flow:established,to_server; uricontent:".doc"; pcre:"/\x2edoc\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url,www.frsirt.com/english/advisories/2005/0119; sid:2001727; rev:7;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT MS05-005 Office XP .rtf Remote Code Attempt"; flow:established,to_server; uricontent:".rtf"; pcre:"/\x2ertf\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url,www.frsirt.com/english/advisories/2005/0119; sid:2002799; rev:3;)

#by Chris Ries of Vigilant Minds
alert TCP any 445 -> any any (msg:"BLEEDING-EDGE EXPLOIT ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; sid:2002064; rev:3;)

#Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content:"|3C|OBJECT "; nocase; pcre:"/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype: misc-attack; reference:url,www.microsoft.com/technet/security/bulletin/ms05-014.mspx; sid: 2001725; rev:7; )

#Erik Fichtner
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001848; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001849; rev:5; )

alert tcp any any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001873; rev:6; )

# since this could be variable length chunks, we can't tell if we had
# enough data to blow the server up or not, so we have to read the
# chicken bones to see if it looks like exchange sh!t the bed or not.

alert tcp any 25 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001874; rev:5; )
pass tcp $SMTP_SERVERS 25 -> any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; flowbits:isset,msxlsa; flow: from_server,established; content:"200 DONE"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001875; rev:6; )
alert tcp $SMTP_SERVERS 25 -> any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; flowbits:isset,msxlsa; flow: from_server,established; content:"500 DROP"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001876; rev:5; )

# Submitted by Erik Fichtner, July 18, 2005
# MS05-036 has a pile of vectors into the system.  These are just some of them.

# False negative warning:  JPEG ICC can be fragged into multiple chunks.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002120; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1024,127,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002121; rev:5;)

# False negative warning:  GIF ICC can be fragged into multiple chunks.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002122; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1024,129,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002123; rev:5;)

# iCCP profiles are all compressed with zlib deflate. That's annoying. A preprocessor would do this work better.
# This is disabled by default because it hits on any PNG. It is a good sig, but you must understand more than average to use it
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document"; flow:established; content:"|89|PNG|0D 0A 1A 0A|"; content:"iCCP"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002124; rev:2;)

# The following are based on a working exploit
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICC_PROFILE|00|"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002134; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICCRGBG1012"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002137; rev:3;)

#By Blake Harstein at Demarc
#These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED; flow:established,from_server; content:"CLSID"; nocase; pcre:"/CLSID\s*\:(?=\x7b?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x7d?)/i"; flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious; sid:2002174; rev:4;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002171; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002172; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002173; rev:5;) 

#This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the 
# clsid flowbits set above.
#By Blake Harstein of Demarc
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; classtype:web-application-attack; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; sid:2002308; rev:1;) 

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 1)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002491; rev:3;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 2)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002492; rev:3;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 3)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002493; rev:3;) 

# Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
#Replaced by sigs below
#alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002186; rev:1;)

#alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002187; rev:2;)

#alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002188; rev:2;)

#All related to UPnP Exploit, MS05-039
#Thanks to the Alert Logic team
alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002199; rev:1;)

alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002200; rev:1;)

alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002201; rev:1;)

alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002202; rev:1;)

alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002203; rev:1;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MciWndx ActiveX Control"; flow:from_server,established; content:"CLSID"; nocase; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002724; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/Ri"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002725; rev:4;)

#by Shirkdog, updated 2006-02-21, mscott
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; classtype:attempted-user; sid:2002802; rev:6; )

#by Joe Stewart of Lurhq
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client;  content:"BM"; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; classtype:attempted-user; sid:2002803; rev:5;)

#By Blake Hartstein from Demarc
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB CLIENT Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/Ri"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; classtype:web-application-attack; sid:2002861; rev:1; )

#by Blake Hartstein at Demarc
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB CLIENT Wmm2fxa.dll COM Object Instantiation Memory Corruption"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; classtype:web-application-attack; sid:2002971; rev:2; )

#by Shirkdog
alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; classtype:attempted-dos; sid:2003067; rev:2;)

# Submitted 2006-08-11 by Joe Stewart
alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003081; rev:2;)
alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003082; rev:2;)

#by shirkdog and Blake hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS06-042 (group 1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/5DFB2651-9668-11D0-B17B-00C04FC2A0CA|39A2C2A6-4778-11D2-9BDB-204C4F4F5020|3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020|E8C31D11-6FD2-4659-AD75-155FA143F42B|44C79591-D0DE-49C4-BA3C-A45AB7003356|01002B17-5D93-4551-81E4-831FEF780A53|1B544C24-FD0B-11CE-8C63-00AA0044B520|1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C|2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26|2EA10031-0033-450E-8072-E27D9E768142|31087270-D348-432C-899E-2D2F38FF29A0|41D2B841-7692-4C83-AFD3-F60E845341AF/i"; classtype:web-application-attack; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; sid:2003077; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS06-042 (group 2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB|4F3E50BD-A9D7-4721-B0E1-00CB42A0A747|586FB486-5560-4FF3-96DF-1118C96AF456|5B4B05EB-1F63-446B-AAD1-E10A34D650E0|679E132F-561B-42F8-846C-A70DBDC62999|6C68955E-F965-4249-8E18-F0977B1D2899|7F1232EE-44D7-4494-AB8B-CC61B10E21A5|92883667-E95C-443D-AC96-4CACA27BEB6E|930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6|A2EDA89A-0966-4B91-9C18-AB69F098187F|AECF5D2E-7A18-4DD2-BDCD-29B6F615B448|BC0D69A8-0923-4EEE-9375-9239F5A38B92/i"; classtype:web-application-attack; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; sid:2003078; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS06-042 (group 3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/C0D076C5-E4C6-4561-8BF4-80DA8DB819D7|C44C65C7-FDF1-453D-89A5-BCC28F5D69F9|C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F|C8F209F8-480E-454C-94A4-5392D88EBA0F|CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED|CFFB1FC7-270D-4986-B299-FECF3F0E42DB|E188F7A3-A04E-413E-99D1-D79A45F70305|E476CBFF-E229-4524-B6B7-228A3129D1C7|EF105BC3-C064-45F1-AD53-6D8A8578D01B|EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C|F44BB2D0-F070-463E-9433-B0CCF3CFD627|5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/i"; classtype:web-application-attack; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; sid:2003079; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS06-042 (group 4)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/ADEADEB8-E54B-11d1-9A72-0000F875EADE|EC85D8F1-1C4E-46e4-A748-7AA04E7C0496|A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0|E673DCF2-C316-4c6f-AA96-4E4DC6DC291E|D74CA70F-2236-4BA8-A297-4B2A28C2363C/i"; classtype:web-application-attack; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; sid:2003080; rev:2;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; distance:0; within:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; sid:2002845; rev:2; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000488; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000372; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000373; rev:5; )

#Submitted by Joseph Gama
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-admin; sid: 2000377; rev:4; )
alert udp any any -> $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000378; rev:5; )
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000379; rev:4; )
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; classtype: attempted-admin; sid: 2000380; rev:6; )
alert udp any any -> $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000381; rev:5; )

#community-written, see docs. Moved from Current events, will be stable for the long term
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:5;)

#by Shirkdog
#out for testing. Please report experiences
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Microsoft Office Data Structure Corruption (unpatched)"; flow:established,to_client; content:"|CF 11 E0 A1 B1 1A E1|"; content:"|00 00 00|"; distance:617; within:3; byte_test:4,>,1677215,0,relative,little; classtype:bad-unknown; sid:2003212; rev:2;)

#Erik Fichtner
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:1,=,3,10,relative; flowbits:set,icolor_png; classtype: misc-attack; reference:cve,2004-0597; sid: 2001720; rev:7; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content:"PLTE"; byte_test:4,>,768,-8,relative; classtype: misc-attack; reference:cve,2004-0597; sid: 2001721; rev:6; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content:"hIST"; byte_test:4,>,512,-8,relative; classtype: misc-attack; reference:cve,2004-0597; sid: 2001722; rev:6; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,256,17,relative;content:"tRNS"; distance: 4; classtype: misc-attack; sid: 2001723; rev:6; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,0,relative;classtype: misc-attack; reference:cve,2004-1214; sid: 2001718; rev:5; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,4,relative;classtype: misc-attack; reference:cve,2004-1214; sid: 2001719; rev:5; )
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng CAN-2004-1244 overflow attempt"; flow: to_client,established; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:1,=,3,10,relative;content:"tRNS"; byte_test:4,>,256,-8,relative;pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; reference:bugtraq,10872; classtype: attempted-admin; sid: 2001724; rev:4; )

#By Mark Tombaugh
alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; classtype:successful-recon-limited; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; sid:2002389; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BLEEDING-EDGE EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; classtype:misc-attack; reference:bugtraq,11775; sid:2002390; rev:2; )

#by Alejandro Gramajo
##############################################################################
# x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder
# 
# D9 EE             fldz
# D9 74 24 F4       fnstenv [esp - 12]
# 5B                pop ebx
# 81 73 13 xorkey   xor_xor: xor DWORD [ebx + 22], xorkey
# 83 EB FC          sub ebx,-4
# E2 F4             loop xor_xor
#
# Real traffic dump
#                                           Content1
# 98 49 F8 27 91 2F 27  48 4F 4E 6A  12 59 <D9 EE D9   .I.'./'HONj.Y...
# 74 24 F4 5B 81 73 13> 2E D6 9A FE <83 EB  FC E2 F4>  t$.[.s..........
#                       Xorkey       Content2
#            
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:2002903; rev:1;)

##############################################################################
# x86 Skylined\'s Alpha2 Alphanumeric Encoder
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE EXPLOIT x86 Alpha2 GetEIPs Encoder"; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; classtype:shellcode-detect; sid:2002904; rev:1;)

##############################################################################
# x86 Call $+4 countdown xor encoder
#
# E8 FF FF FF       call $+4
# FF C1             inc ecx
# 5E                pop esi
# 30 4C 0E 07       xor_xor: xor [esi + ecx + 0x07], cl
# E2 FA             loop xor_xor
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE EXPLOIT x86 Countdown Encoder";content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|";classtype:shellcode-detect; sid:2002905; rev:1;)

##############################################################################
# x86 Pex Alphanumeric Encoder
#
# VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089   win32getpc
# ?? JJJJJ ??                                                  baseaddr
# VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM      decoder
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT x86 PexAlphaNum Encoder"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; classtype:shellcode-detect; sid:2002906; rev:1;)

##############################################################################
# x86 Pex Call $+4 Double Word Xor Encoder
#
# E8 FF FF FF       call $+4
# FF C0             inc eax
# 5E                pop esi
# 81 76 0E xorkey   xor_xor: xor [esi + 0x0e], xorkey
# 83 EE FC          sub esi, -4
# E2 F4             loop xor_xor 
#
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT x86 PexCall Encoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:2002907; rev:1;)

##############################################################################
# x86 IA32 Jmp/Call XOR Additive Feedback Decoder
# 
# FC                cld
# BB key            mov ebx, key
# EB 0C             jmp short 0x14
# 5E                pop esi
# 56                push esi
# 31 1E             xor [esi], ebx
# AD                lodsd
# 01 C3             add ebx, eax
# 85 C0             test eax, eax
# 75 F7             jnz 0xa
# C3                ret
# E8 EF FF FF FF    call 0x8
#
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT x86 JmpCallAdditive Encoder"; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; classtype:shellcode-detect; sid:2002908; rev:1;)

#Joel Esler
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Meteor FTP Server Exploit"; flow:established,to_server; content:"USER"; nocase; offset: 14; pcre:"/USER.{81,}/i"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5RP0Q2KFPC.html; sid: 2001954; rev:4; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Firefox Certificate Spoofing"; flow: from_server,established; content:"http-equiv"; nocase; pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i"; reference:url,www.securiteam.com/securitynews/5EP0L1PDFG.html; classtype: misc-activity; sid: 2001206; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Cookie theft"; flow: from_server,established; content:"http|3a|//"; nocase; pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i"; reference:url,www.securiteam.com/securitynews/5GP0T0U60M.html; classtype: misc-activity; sid: 2001207; rev:6; )
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Reading Local Files in Netscape 6 and Mozilla"; flow: from_server,established; content:"XMLHttpRequest"; nocase; pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i"; reference:url,www.securiteam.com/securitynews/5JP000A76K.html; classtype: misc-activity; sid: 2001208; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla FTP View Cross-Site Scripting Vulnerability"; flow: from_server,established; content:"ftp\://"; nocase; content:"<TITLE"; content:"<SCRIPT"; content:"</TITLE"; reference:url,www.securiteam.com/windowsntfocus/5MP0I0080A.html; classtype: misc-activity; sid: 2001209; rev:5; )

#Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative;classtype: attempted-admin; reference:cve,2005-0399; sid: 2001807; rev:6; )

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (img)"; flow:established,from_server; content:"<img "; nocase; pcre:"/<img[^\>]*[ a-z]src[^>=]*=(?>\s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002127; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (input)"; flow:established,from_server; content:"<input "; nocase; pcre:"/<input[^\>]*[ a-z]src[^>=]*=(?>\s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002128; rev:2;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Domain Name Buffer Overflow"; flow:established,from_server; content:"http"; pcre:"/(\xad|%ad|&shy\;?){16,}/Ri"; reference:cve,2005-2871; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=307259; reference:url,www.milw0rm.com/id.php?id=1224; classtype:web-application-attack; sid:2002380; rev:4;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Cookie Manipulation Attempt"; flow:established,from_server; content:"location.hostname"; nocase; pcre:"/location.hostname\s*=\s*['"][^'"]*\\x00/i"; reference:cve,2007-0981; classtype:web-application-attack; sid:2003415; rev:1; ) 

#By Joel Esler
alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg: "BLEEDING-EDGE EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; classtype: attempted-admin; sid: 2001988; rev:2; )

#Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; distance:0; within:500; classtype:web-application-attack; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; sid:2003328; rev:1;)

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype: bad-unknown; sid: 2000017; rev:4; )

#By Michael Hale Ligh and Ryan Smith
alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"BLEEDING-EDGE EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; sid:2003145; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"BLEEDING-EDGE EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; sid:2003146; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"BLEEDING-EDGE EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; sid:2003148; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"BLEEDING-EDGE EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; sid:2003147; rev:1;)

#by Tom at doctorunix.com
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; classtype: web-application-attack; sid:2002702; rev:3;)

#by Fabien Bourdaire of ECSC Security
# Re: http://www.internetdefence.net/2007/02/06/Javascript-payload
# bc d3 c3 d2  c9 d0 d4 <SCRIPT
# bc f3 e3 f2  e9 f0 f4 <script
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003400; rev:1;)

# ae ef f0 e5  ee a0 a2 e7 e5 f4 a2 .open "get"
# ae cf d0 c5 ce a0 a2  c7 c5 d4 a2 .OPEN "GET"
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003401; rev:2;)

#  f3 e8 e5 ec ec e5 f8 e5 e3 f5 f4 e5  shellexecute
#  d3 c8 c5 cc cc c5 d8 c5 c3 d5 d4 c5
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003402; rev:2;)

# f6 e2 f3 e3 f2 e9 f0 f4
# d6 c2 d3 c3 d2 c9 d0 d4 VBSCRIPT
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/";reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003403; rev:1;)


#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"BLEEDING-EDGE EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; classtype:attempted-admin; sid:2002886; rev:1; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"BLEEDING-EDGE EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; classtype:attempted-admin; priority:3; sid:2002887; rev:1; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"BLEEDING-EDGE EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; classtype:attempted-admin; sid:2002888; rev:2; ) 

#Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"xmlrpc.php"; content:"methodCall"; nocase; pcre:"/>.*\'\s*\)\s*\)*\s*\;/"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; classtype: web-application-attack; sid:2002158; rev:4;)

#By Blake Hartstein at Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"BLEEDING-EDGE EXPLOIT PeerCast Url Overflow"; flow:established,to_server; content:"GET /stream/"; nocase; pcre:"/stream\/\?(.*?=)?[^=]{500}/i"; reference:cve,2006-1148; reference:bugtraq,17040; classtype:attempted-user; sid:2002862; rev:1; )

#by Steve Adair steven@securityzone - 11/28/2006, updates from Mat Rowley
alert tcp any any -> $HOME_NET 21 (msg:"BLEEDING-EDGE EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message"; distance:0; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; classtype:misc-attack; sid:2003196; rev:4;)
alert tcp any any -> $HOME_NET 21 (msg:"BLEEDING-EDGE EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; classtype:misc-attack; sid:2003197; rev:3;)

#Submitted by Matt Jonkman, Updated by Abe and Matt Sheridan
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000565; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000566; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000564; rev:7; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000567; rev:6; )
alert tcp $HOME_NET 445 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000563; rev:8; )
alert tcp $HOME_NET 139 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000568; rev:7; )

#Submitted by Abe Use
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001053; rev:5; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001544; rev:5; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001052; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001543; rev:5; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001753; rev:2; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001754; rev:2; )

#by Kyle Haugsness, Erik Fichtner, and Matt Jonkman
#VNC State Machine, good for other uses
#VNC is easy to run on any port, so ranges are not in use for now...
#
#Server offers version
alert tcp $HOME_NET any -> any any (msg:"BlEEDING-EDGE EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:cve,2006-2369; sid:2002912; rev:3;)

#Client replies in kind
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002913; rev:3;)

#Server says it requires VNC auth, and sends 16 byte salt
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002914; rev:2;)

#or server replies like so, same thing as above, different method. For some reason some servers do not send the challenge with the auth offer
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002918; rev:2;)

#or, unrelated, if server says it allows no auth. Could be a compromised server
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup;  flowbits:unset,BSvnc.auth.offered; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:cve,2006-2369; sid:2002924; rev:3;)

#and in the other client style case
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; classtype:misc-activity; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:cve,2006-2369; sid:2002923; rev:2;)

#and the client in this scenario replies with a |02| to ask for normal pass auth, this ends the chain as a good exchange
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; classtype:attempted-admin; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002919; rev:3;)

#if client replies with hashed salt chain ends, this is not an exploit attempt
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; classtype:attempted-admin; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002915; rev:2;)

#if client replies it wants null auth, this is an exploit ATTEMPT
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; classtype:attempted-admin; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:cve,2006-2369; sid:2002916; rev:2;)

#if server replies with auth successful this is a successful exploit
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; classtype:successful-admin; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; sid:2002917; rev:3;)

#This is a good auth back from the server
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; classtype:not-suspicious; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002922; rev:2;)

#this is for a server saying auth failed
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; classtype:attempted-admin; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002920; rev:2;)

#This is for too many failures
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; classtype:attempted-admin; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002921; rev:2;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; classtype:web-application-attack; sid:2002381; rev:5;)

#by Blake Hartstein of Demarc
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg: "BLEEDING-EDGE EXPLOIT SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; within:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference: bugtraq,16213; reference: cve,2006-0189; classtype:attempted-user; sid:2002848; rev: 3;) 

#by Blake Hartstein of Demarc
alert udp any any -> $HOME_NET 5060 (msg: "BLEEDING-EDGE EXPLOIT MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; classtype:attempted-user; sid:2003237; rev:3; )

#
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid: 2000032; rev:6; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability"; flow: to_server,established; content:"site exec"; nocase; rawbytes; reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; classtype: misc-activity; sid: 2001210; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (1)"; flow: to_server,established; pcre:"/\\[\.]+%20/Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001211; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (2)"; flow: to_server,established; pcre:"/%20[\.]+\//Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001212; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow"; flow: to_server,established; content:"LIST -l\:"; nocase; isdataat: 134,relative; reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: misc-activity; sid: 2001213; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; flow: to_server,established; content:"chmod"; nocase; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: misc-activity; sid: 2001215; rev:7; )

#Submitted by Cooljay ref: http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype: shellcode-detect; sid: 2001385; rev:4; )

#by Blake Hartstein
alert tcp any any -> $HOME_NET 8000:8030 (msg:"BLEEDING-EDGE EXPLOIT Nullsoft Shoutcast Server Format String Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/\/content\/.*?%#?\d*[a-z\.].*?\.mp3/Ri"; reference:cve,2004-1373; reference:bugtraq,12096; classtype:web-application-attack; sid:2001751; rev:4;) 

#by Summit Siddharth
alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"BLEEDING-EDGE EXPLOIT malformed Sack - Snort DoS-by-$um$id";seq:0; ack:0; window:65535; dsize:0; classtype:attempted-dos; sid:2002656; rev:2;)

#By Kyle Haugsness for the ISC on 2005-10-21
#Disabling by default. This is now caught by the upgraded BO preproc 2.4.3+
#alert udp any !31337 <> any !31337 (msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; dsize: >1024; content:"|ce 63 d1 d2 16 e7 13 cf|"; offset: 0; depth: 8; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?storyid=782; reference:url,isc.sans.org/diary.php?storyid=770; reference:url,xforce.iss.net/xforce/alerts/id/207; sid: 2002661; rev:2; )

#submitted by bdoctor
alert tcp any any -> $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; classtype: attempted-admin; sid: 2001780; rev:3; )

# Submitted 2007-02-12 by Chris Byrd
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; sid:2003411; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; sid:2003412; rev:1;)

#
alert tcp any any -> $HOME_NET 3128 (msg: "BLEEDING-EDGE EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; classtype: misc-attack; sid: 2000342; rev:4; )

#Submitted by Dale Handy
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001549; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow:to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001550; rev:6;)
alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001551; rev:6;)
alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001552; rev:6;)

#by Matt Richard
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002783; rev:1;)
#Disabled by default. Used in several major sites... 
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002784; rev:1;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002785; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002786; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002787; rev:1;)

# Submitted on 2006-05-01 by Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"BLEEDING-EDGE EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"/xml.xml"; nocase; distance:1; within:10; content:"<request"; nocase; distance:0; content:"<key "; distance:0; reference:cve,2006-0230; reference:bugtraq,17637; classtype:attempted-recon; sid:2002896; rev:1; )

#Matt Jonkman
#limited info, but the exploit requires the data type to be 0x10, the command to be 0x24, then a null, and there is a backslash (0x5c) in the body, and the body is over 0x17c or 0x17a. More detail in the reference
alert tcp any any -> $HOME_NET 2967:2968 (msg:"BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; classtype:attempted-admin; sid:2003250; rev:1; )

#These rules are mostly for malformed tftp related to, but not for any one specific exploit.
#The tftp get or put should be opcode(\x01 or \x02)\x00filename\x00mode\x00. Mode is either netascii, binary or mail. 
#by Matt Jonkman
#These look for write or get that does not have the correct mode. Will catch many of the tftp exploits, like the 3com stuff of late.
alert udp any any -> $HOME_NET 69 (msg:"BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; classtype:non-standard-protocol; sid:2003198; rev:1;)
alert udp any any -> $HOME_NET 69 (msg:"BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; classtype:non-standard-protocol; sid:2003199; rev:1;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; classtype:attempted-recon; sid:2002406; rev:2;)

#Matt Jonkman
#Issue is fixed by patch, and all http traffic is now redirected to https. So anything on this
# port in the clear using the bad cookie name is suspect. Thanks for the reference Jose
alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"BLEEDING-EDGE EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; classtype:attempted-admin; sid:2003434; rev:1;)

#by Shirkdog and Scott Melnick
alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"BLEEDING-EDGE EXPLOIT TrendMicro ServerProtect Exploit -- possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c|"; distance:14; within:18; content:"|04 00 03 00|"; distance:0; within:4; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; classtype:misc-attack; sid:2007584; rev:2;)

#By Paul Dokas, posted on http://isc.sans.org/diary.php?date=2005-06-27
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002061; rev:2;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002062; rev:2;)

#By Chris Ries of Vigilant Minds. This is not specific to the exploit as previous versions
alert TCP any any -> any 10000 (msg:"BLEEDING-EDGE EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; classtype:misc-attack; sid:2002065; rev:3;)

#By Mark Tombaugh: Alerts on responses of version checks.
alert tcp $HOME_NET 10000 -> any any (msg:"BLEEDING-EDGE EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; classtype:attempted-recon; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; sid:2002068; rev:5;)

# Added 2005/08/12 by Frank Knobbe - This version alerts if a system is vulnerable. flowbits:noalert is optional on the first rule if you don't want to detect (possibly unsuccessfull) attempts.
alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:default-login-attempt; sid:2002181; rev:3;)
alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:misc-attack; sid:2002182; rev:3;)

#by mmlange
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; sid:2002734; rev:2;)

# By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
# flow_depth (of http_inspect_server) has to be set to 0. Recommend second Snort instance with that config.
# Note that these rules will fail to detect the exploit when the HTTP response is gzipped.
# There is also a possibility for evasion, but a version that catches it will incurr massive amount of FPs.
#
# Choose between the All-Ports rules or the Web-Only rules. (All web rules have to be enabled)
# All ports
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v3"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v1"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002759; rev:1;)
# Web Only
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,bleeding_wmf_http; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002743; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - version 3"; flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002741; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - version 1"; flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002757; rev:1;)
# Thes rules have to be there for both 
#Temporarily disabling, causing segfaults in snort 2.7.
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 1"; flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 3"; flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742; rev:5;)
#David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT WebHints Scripts Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/hints.pl?|7c|"; nocase; classtype: web-application-attack; reference:bugtraq,13930; sid: 2001991; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT WinProxy Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:3; )

#Written by Erik Fichtner
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1"; flowbits:noalert; flow: to_client,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001622; rev:4;)
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 2"; flow: to_client,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001623; rev:3; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 3"; flow: to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001624; rev:3;)
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1"; flowbits:noalert; flow: to_server,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001625; rev:5;)
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2"; flow: to_server,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid: 2001626; rev:3;)
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3"; flow: to_server,established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; classtype: web-application-attack; sid: 2001627; rev:3;)

#By Sam Pabon
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (1)"; flow: to_client,established; content:"pchealth"; nocase; pcre:"/^file\x3A\\/\/C\x3A\\\WINDOWS\\PCHealth\\HelpCtr\\System\\blurbs\\tools\x2E\.htm/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001633; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (2)"; flow: to_client,established; content:"writehta.txt"; pcre:"/^C\x3A\\\Documents\s+and\s+Settings\\All\s+Users\\Start\s+Menu\\Programs\\Startup\\+?([A-Z]|[a-z]|[0-9])\x2E\.hta/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001634; rev:6;)

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Wzdftpd SITE command arbitrary command execution attempt"; flow:to_server,established; content:"site"; nocase; pcre:"/site\s+.*?[\;|&]/i"; reference:bugtraq,14935; reference:url,www.securiteam.com/exploits/5CP0R1PGUE.html; classtype:web-application-attack; sid:2002382; rev:4; )

# Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:11; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT wowBB view_user.php SQL Injection"; flow: to_server,established; uricontent:"/wowbb/view_user.php?"; nocase; uricontent:"&sort_by='"; nocase; pcre:"/(alter|delete|insert|select)/i"; reference:bugtraq,13569; classtype: web-application-attack; sid: 2001932; rev:4;)