pax_global_header00006660000000000000000000000064145145614350014522gustar00rootroot0000000000000052 comment=7d0c98b3692427ba5c8084460e5353d57e0d304b packETH-3.0/000077500000000000000000000000001451456143500126435ustar00rootroot00000000000000packETH-3.0/.defaultBuilder000066400000000000000000000044621451456143500156050ustar00rootroot00000000000000ò `: 33 "3DUfw"3DUfw"3DUfw"3DUfw"3DUfw""3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw #4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw""3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw #4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw""3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw #4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw""3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw"3DUfw #4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgx#4EVgxpackETH-3.0/.gitignore000066400000000000000000000002501451456143500146300ustar00rootroot00000000000000Makefile* aclocal.m4 autom4te.cache/ compile config* depcomp install-sh missing packETH src/*.o src/.deps/* src/pixmaps.[ch] src/ui.[ch] cli/*.o stamp-h1 !configure.ac packETH-3.0/AUTHORS000066400000000000000000000000361451456143500137120ustar00rootroot00000000000000Miha Jemec packETH-3.0/CHANGELOG000066400000000000000000000031151451456143500140550ustar00rootroot000000000000001.7.x -> 1.8 Completly rewritten Gen-b window, user can now select different options while sending per checkbuttons. Optionaly user can specify which checksums should be updated (ipv4, tcp, udp, icmp). Also the Gtk calls where now removed from the sending thread, what caused a lot of problems with stability on certain Linux distirbutions before. I hope now the whole program will be much more stable. 1.8 -> 1.8.1 Using nano seconds resolution (if supported by the Linx Kernel version, otherwise micro seconds will be used). With nano seconds the desired bandwidth can be much closer to the actual one for all bandwidths selected. If the actual bandwidth differs from the desired one for more than 10% a warning is included in the status bar. Interface dialog now displays all available interfaces not only interfaces with IP address assigned (thanks to Alok Prasad for the patch) 1.8.1 -> 1.9 Gui: Added options for additional stream control (speed ramp, size ramp) CLI: added options for IDS/firewall testing 7.11.2018 (github): Complete packETHcli rewrite with many new options to tune sending parameters. Please see the cli dir for details! 27.11.2018 (github): - packETHcli added receiver option (mode -m -9) to count received packets - packETHcli added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - packETH added option to include predefined pattern (same as packETHcli -x option) that can be checked with packETHcli mode -9 - packETHcli nanoseconds support packETH-3.0/COPYING000066400000000000000000001045131451456143500137020ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . packETH-3.0/ChangeLog000066400000000000000000000031151451456143500144150ustar00rootroot000000000000001.7.x -> 1.8 Completly rewritten Gen-b window, user can now select different options while sending per checkbuttons. Optionaly user can specify which checksums should be updated (ipv4, tcp, udp, icmp). Also the Gtk calls where now removed from the sending thread, what caused a lot of problems with stability on certain Linux distirbutions before. I hope now the whole program will be much more stable. 1.8 -> 1.8.1 Using nano seconds resolution (if supported by the Linx Kernel version, otherwise micro seconds will be used). With nano seconds the desired bandwidth can be much closer to the actual one for all bandwidths selected. If the actual bandwidth differs from the desired one for more than 10% a warning is included in the status bar. Interface dialog now displays all available interfaces not only interfaces with IP address assigned (thanks to Alok Prasad for the patch) 1.8.1 -> 1.9 Gui: Added options for additional stream control (speed ramp, size ramp) CLI: added options for IDS/firewall testing 7.11.2018 (github): Complete packETHcli rewrite with many new options to tune sending parameters. Please see the cli dir for details! 27.11.2018 (github): - packETHcli added receiver option (mode -m -9) to count received packets - packETHcli added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - packETH added option to include predefined pattern (same as packETHcli -x option) that can be checked with packETHcli mode -9 - packETHcli nanoseconds support packETH-3.0/INSTALL000066400000000000000000000262221451456143500137000ustar00rootroot00000000000000Installation Instructions ************************* Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. 6. Often, you can also type `make uninstall' to remove the installed files again. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or "universal" binaries--by specifying multiple `-arch' options to the compiler but only a single `-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CPP="gcc -E" CXXCPP="g++ -E" This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results using the `lipo' tool if you have problems. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Particular systems ================== On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae" and if that doesn't work, install pre-built binaries of GCC for HP-UX. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended to try ./configure CC="cc" and if that doesn't work, try ./configure CC="cc -nodtk" Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf bug. Until the bug is fixed you can use this workaround: CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of all of the options to `configure', and exit. `--help=short' `--help=recursive' Print a summary of the options unique to this package's `configure', and exit. The `short' variant lists options used only in the top level, while the `recursive' variant lists options also present in any nested packages. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--prefix=DIR' Use DIR as the installation prefix. *Note Installation Names:: for more details, including other options available for fine-tuning the installation locations. `--no-create' `-n' Run the configure checks, but stop before creating any output files. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. packETH-3.0/Makefile.am000066400000000000000000000035741451456143500147100ustar00rootroot00000000000000bin_PROGRAMS=packETH packETH_built_sources = \ src/pixmaps.c src/pixmaps.h \ src/ui.c src/ui.h packETH_SOURCES= \ $(packETH_built_sources) \ src/main.c \ src/support.c src/support.h \ src/interface.c src/interface.h \ src/callbacks.c src/callbacks.h \ src/function.c src/function.h \ src/function_send.c src/function_send.h \ src/loadpacket.c src/loadpacket.h \ src/savepacket.c src/savepacket.h \ src/headers.h pixmaps= \ src/pixmaps/pixmaps.gresource.xml \ src/pixmaps/Build.xpm \ src/pixmaps/interface.xpm \ src/pixmaps/load.xpm \ src/pixmaps/preference.xpm \ src/pixmaps/reset.xpm \ src/pixmaps/save.xpm \ src/pixmaps/send.xpm \ src/pixmaps/X.xpm ui= \ ui/ui.gresource.xml \ ui/about_dialog.ui \ ui/error_dialog.ui \ ui/fileselection1.ui \ ui/fileselection2.ui \ ui/fileselection3.ui \ ui/fragmentation_dialog.ui \ ui/interface_dialog.ui \ ui/sel1_dialog.ui \ ui/tos_dialog.ui \ ui/udp_payload_dialog.ui \ ui/window1.ui DEFS= \ -DPKGDATADIR=\"$(pkgdatadir)/\" LIBS=$(DEPS_LIBS) -lm AM_CPPFLAGS = \ -g \ -O2 \ -Wall \ -Wmissing-prototypes \ -Wmissing-declarations \ -Wunused \ -Wl,--export-dynamic \ $(DEPS_CFLAGS) # Include the pixmaps and ui in the distribution (make dist) EXTRA_DIST=$(pixmaps) $(ui) BUILT_SOURCES = \ $(packETH_built_sources) CLEANFILES = \ $(packETH_built_sources) src/pixmaps.c: $(pixmaps) $(AM_V_GEN) glib-compile-resources --generate-source --sourcedir=src/pixmaps --target=$@ src/pixmaps/pixmaps.gresource.xml src/pixmaps.h: $(pixmaps) $(AM_V_GEN) glib-compile-resources --generate-header --sourcedir=src/pixmaps --target=$@ src/pixmaps/pixmaps.gresource.xml src/ui.c: $(ui) $(AM_V_GEN) glib-compile-resources --generate-source --sourcedir=ui --target=$@ ui/ui.gresource.xml src/ui.h: $(ui) $(AM_V_GEN) glib-compile-resources --generate-header --sourcedir=ui --target=$@ ui/ui.gresource.xml packETH-3.0/NEWS000066400000000000000000000000251451456143500133370ustar00rootroot00000000000000Look into CHANGELOG. packETH-3.0/README000066400000000000000000000061211451456143500135230ustar00rootroot00000000000000# packETH packETH is GUI and CLI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet link. It is very simple to use, powerful and supports many adjustments of parameters while sending packets. It runs on Linux. With the GUI version you can create and send packets. With the CLI version you can only send already stored packets from pcap file. More information about installation, usage, GUI and CLI version and FAQ can be found here: http://packeth.sourceforge.net/packeth/Home.html Blog with some use cases: https://packeth.wordpress.com ## NEWS 27.11.2018: - packETHcli added receiver option (mode -m -9) to count received packets - packETHcli added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - packETHcli - nanoseconds support - packETH added option to include predefined pattern (same as packETHcli -x option) that can be checked with packETHcli mode -9 ## NEWS 7.11.2018: Complete packETHcli rewrite with many new options to tune sending parameters. Please see the cli dir for details! ## INSTALLATION ### GUI git clone https://github.com/jemcek/packETH.git cd packETH ./autogen.sh (you will need aclocal,autoconf,autoheader and automake installed to run this) ./configure make make install (optional) ./packETH or download the code from: https://sourceforge.net/projects/packeth/files/ tar xjvf packETH.(version).tar.bz cd packETH autoreconf -f -i (optional in case you get automake version mismatch, missing files etc...) ./configure make make install (optional) ./packETH ### CLI (you can also only compile cli version if you want) cd cli make ## USAGE ### GUI version ./packETH (or packETH if you did the make install) The usage of the program should be pretty straightforward. As you will see, there are 4 main windows (first four buttons from the left side). I call them: - Builder - the page where you build the packet and send it once - Gen-b - generator for sending packet currently build inside Builder with many options how to send it - Gen-s - generator that allows you to select up to 10 previosly built packets and send them in different manner - Pcap window - open a tcpdump/wireshark capture file and load the selected packet into builder To send the packets you need the SuperUser rights. ### CLI version Type ./packETHcli -h for available options. ## DONATIONS If you would like to increase my motivation for further development, you can make a donation. The amount is not important at all, it is just a sign for me, that time I spent for this project helps someone. [DONATE](https://www.paypal.com/donate/?token=n93oVmxnMD6S0pU87PjkgLCfx6RJU7VLJDVS4OBGULA7jO1-Hg-5VTNpeYwtpGMrtdkh4G&country.x=SI&locale.x=SI) ## AUTHORS & SUPPORT If you get into problems, please feel free to contact me. Miha Jemec jemcek@gmail.com packETH (C) 2003-2018 by Miha Jemec, Covered under the GPL. packETH-3.0/README.md000066400000000000000000000073331451456143500141300ustar00rootroot00000000000000# packETH packETH is GUI and CLI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet link. It is very simple to use, powerful and supports many adjustments of parameters while sending packets. It runs on Linux. With the GUI version (packETH) you can create and send packets. With the CLI version (packETHcli) you can only send already stored packets from pcap file. The CLI version also has a receiver mode, that can count packets and check if all packets that were sent were also received. Some more information about installation, usage, GUI and CLI version and FAQ can also be found [here](https://packeth.sourceforge.net/packeth/Home.html). [Blog](https://packeth.wordpress.com) with some use cases. ## NEWS ### OCT 2023 - migrated to GTK3 (many thanks to @qarkai) ### JUL 2019 - packETHcli added burst mode (-m -6) ### 27.11.2018 - packETHcli added receiver option (mode -m -9) to count received packets - packETHcli added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - packETHcli - nanoseconds support - [Receiver mode](https://packeth.wordpress.com/2018/12/05/reciver-mode-check-for-dropped-packets/) - [CLI tips](https://packeth.wordpress.com/2018/11/12/packethcli-some-practical-tips-1/) ## INSTALLATION ### GUI ```sh git clone https://github.com/jemcek/packETH.git cd packETH ./autogen.sh # you will need aclocal, autoconf, autoheader and automake installed to run this autoreconf -f -i # optional - in case you get automake version mismatch, missing files etc... ./configure make make install # optional ./packETH ``` Depending on your Linux distribution and type of installation additional packages may be needed. For example: #### Centos 7.4 (minimal) ```sh yum groupinstall 'Development Tools' yum install gtk3-devel.x86_64 ``` #### Ubuntu 18.04 server ```sh sudo apt-get install build-essential sudo apt-get install autoconf sudo apt-get install pkg-config sudo apt-get install libgtk-3-dev ``` ### CLI (you can also only compile cli version if you want) ```sh cd cli make ``` ## USAGE ### GUI version `./packETH` (or `packETH` if you did the `make install`) The usage of the program should be pretty straightforward. As you will see, there are 4 main windows (first four buttons from the left side). I call them: - Builder - the page where you build the packet and send it once - Gen-b - generator for sending packet currently build inside Builder with many options how to send it - Gen-s - generator that allows you to select up to 10 previosly built packets and send them in different manner - Pcap window - open a tcpdump/wireshark capture file and load the selected packet into builder To send the packets you need the SuperUser rights. ### CLI version Type `./packETHcli -h` for available options. ### RECEIVER mode packETHcli also has a reveiver mode (-m 9). In this mode packEThcli counts packets and displays statistics. If you add a pattern into packets sent by packETH or packETHcli then only packets with valid pattern will be counted. See manual for more help. ## DONATIONS If you would like to increase my motivation for further development, you can make a donation. The amount is not important at all, it is just a sign for me, that time I spent for this project helps someone. https://www.paypal.com/donate/?business=FZ8CFZHYDW2RJ&no_recurring=0¤cy_code=EUR ## AUTHORS & SUPPORT If you get into problems, please feel free to contact me. Miha Jemec packETH (C) 2003-2023 by Miha Jemec, Covered under the GPL. packETH-3.0/addresslist000066400000000000000000000002701451456143500151060ustar00rootroot00000000000000127.0.0.1,::1,00:00:00:00:00:00,Loopback 1.1.1.1,2000:0001:3333::1,00:00:00:00:00:11, 1.1.1.1,,00:00:00:00:00:11,example1 ,::1,00:00:00:00:11:22,example2 37.35.3.3,,00:22:33:22:22:22, packETH-3.0/autogen.sh000077500000000000000000000000371451456143500146440ustar00rootroot00000000000000autoreconf --install || exit 1 packETH-3.0/cli/000077500000000000000000000000001451456143500134125ustar00rootroot00000000000000packETH-3.0/cli/Makefile000066400000000000000000000035271451456143500150610ustar00rootroot00000000000000# packETHcli - ethernet packet generator # By Miha Jemec # Copyright 2014 Miha Jemec, # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Makefile for building packETHcli SHELL = /bin/sh prefix = /usr includedir = /usr/src/include INSTALL = /usr/bin/install -c INSTALL_DATA = ${INSTALL} -m 644 INSTALL_PREFIX = /usr CC = gcc CPPFLAGS = LDFLAGS = CFLAGS = -g -Wall -Wunused -Wmissing-prototypes -Wmissing-declarations -Werror CFLAGS += -O3 LIBS = -lm -lpthread SOURCES = cli_send.c parse_snort_rules.c OBJECTS = cli_send.o parse_snort_rules.o PROGRAM = packETHcli COMPILE = $(CC) $(CFLAGS) $(CPPFLAGS) all: $(PROGRAM) $(PROGRAM): $(OBJECTS) $(CC) $(CFLAGS) $(LDFLAGS) $(OBJECTS) $(LIBS) -o $@ %.o: %.c $(COMPILE) -c $< install: $(PROGRAM) $(INSTALL) $(PROGRAM) $(DESTDIR)/$(INSTALL_PREFIX)/bin/$(PROGRAM) if [ ! -d $(DESTDIR)/$(INSTALL_PREFIX)/share/pixmaps/$(PROGRAM) ]; then mkdir -p $(DESTDIR)/$(INSTALL_PREFIX)/share/pixmaps/$(PROGRAM); fi $(INSTALL_DATA) pixmaps/* $(DESTDIR)/$(INSTALL_PREFIX)/share/pixmaps/$(PROGRAM) test: $(CC) $(CFLAGS) $(LDFLAGS) -DTEST_SNORT_RULE_PARSING parse_snort_rules.c -o parse_snort_rules clean: rm -f $(OBJECTS) $(PROGRAM) *~ parse_snort_rules packETH-3.0/cli/NEWS000066400000000000000000000011121451456143500141040ustar00rootroot00000000000000NEWS 27.11.2018: - packETHcli added receiver option (mode -m -9) to count received packets - packETHcli added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - packETHcli - nanoseconds support - packETH added option to include predefined pattern (same as packETHcli -x option) that can be checked with packETHcli mode -9 NEWS 7.11.2018: Complete packETHcli rewrite with many new options to tune sending parameters. Please see the cli dir for details! packETH-3.0/cli/README000066400000000000000000000234141451456143500142760ustar00rootroot00000000000000packETHcli is a cli (command line) version of packETH. It allows you to easily send packets from pcap file. It has different sending options although not all features from packETH are supported. It also has a receiver mode where packets sent by packETH or packETHcli can be captured and checked for errors. NEWS: JUL 2019: - added burst mode (-m 6) NOV 2018: - added receiver option (mode -m -9) to count received packets - added option to incluce pattern (predifined or custom) which can be checked by packETHcli in receiver mode if all packets that were sent were also correctly received at the receiver site - nanoseconds support - added option to change packet rate while sending (ramp mode) in both directions - added option to change packet size while sending (ramp mode) at constant pps or constant bandwidth - option to select which packet should be sent in case there are many stored in pcap file - added option to specify time to transmit (not only number of packets) - IDS test mode included in main repo INSTALLATION ~/packETH/cli# make USAGE: ./packETHcli -m -i -f [options] There are 5 diffent modes, use ./packETHcli -m to get detailed help for particular mode -m 1 - SEND PACKET ONCE (default mode): send packet from the pcap file once -m 2 - SEND PACKET CONTINUOUSLY WITH CONSTANT RATE: send (first) packet from pcap file at constant rate -m 3 - SEND PACKET CONTINUOUSLY WITH VARIABLE RATE (SPEED RAMP) -m 4 - SEND PACKET CONTINUOUSLY WITH VARIABLE SIZE (SIZE RAMP) -m 5 - SEND SEQUENCE OF PACKETS (IDS TEST MODE) -m 6 - SEND PACKETS IN BURST MODE (CONSTANT BURST) -m 9 - RECEIVER MODE (count packets sent by packETHcli or packETH -f - file name where packet is stored in pcap format (or attack definitions file in Snort rule format in mode 5) -I - time interval to display results (default 1s) FOR EXAMPLES SEE: ./packETHcli -e FOR COMPLETE HELP: ./packETHcli -h MODES: -m 1 - SEND PACKET ONCE (default mode): send packet from the pcap file once Usage: ./packETHcli -m 1 -i -f [-c] Optional parameter: -c - sequence number of packet stored in pcap file (by default first packet will be sent) to see sequence numbers of packets inside pcap file: tcpdump -# -r filename -I - time interval to display results (default 1s) Example: packETHcli -i lo -f packet.pcap -m 2 - SEND PACKET CONTINUOUSLY WITH CONSTANT RATE: send (first) packet from pcap file at constant rate Usage: ./packETHcli -m 2 -i -f [options] Required parameters: Number of packets to send or duration in seconds (only one option possible) -n - number of packets to send or 0 for infinite -t - seconds to transmit Delay between packets or sendrate (only one option possible) -D - delay between packets in nano seconds; -d - delay between packets in micro seconds; -d 0 - maximum speed with counters -d -1 - maximum speed without counters -b - desired sending rate in kbit/s -B - desired sending rate in Mbit/s Optional parameters: -c - sequence number of packet stored in pcap file (by default first packet will be sent) -I - time interval to display results (default 1s) Insert predifined pattern into packet: -x - insert pattern "a9b8c7d6" and counter inside last 10 bytes of packet Insert custom pattern at custom positon and counter at custom position -q - where should the pattern be (bytes offset) -w - what should be the pattern to match -o - where should the inceremented counter be (bytes offset) Example: ./packETHcli -i eth0 -m 2 -B 100 -n 10000 -f p1.pcap -m 3 - SEND PACKET CONTINUOUSLY WITH VARIABLE RATE (SPEED RAMP) Usage: ./packETHcli -m 3 -i -f [options] Required parameters: Number of packets to send or duration in seconds (only one option possible) -n - number of packets to send or 0 for infinite -t - seconds to transmit Startrate, Stoprate, Steprate and Step duration (only one option possible): -z " - period between steps in seconds Optional parameters: -c - sequence number of packet stored in pcap file (by default first packet will be sent) -I - time interval to display results (default 1s) Insert predifined pattern into packet: -x - insert pattern "a9b8c7d6" and counter inside last 10 bytes of packet Insert custom pattern at custom positon and counter at custom position -q - where should the pattern be (bytes offset) -w - what should be the pattern to match -o - where should the inceremented counter be (bytes offset) Example: ./packETHcli -i eth1 -m 3 -t 3600 -Z "500 100 1" -p 5 -f p1.pcap -m 4 - SEND PACKET CONTINUOUSLY WITH VARIABLE SIZE (SIZE RAMP) Usage: ./packETHcli -m 4 -i -f [options] Required parameters: Number of packets to send or duration in seconds (only one option possible) -n - number of packets to send or 0 for infinite -t - seconds to transmit Delay between packets or sendrate (only one option possible). Choose first option for constant pps and second one for constant bandwidth -d - delay between packets in micro seconds; select 0 for maximum speed -D - delay between packets in nano seconds; select 0 for maximum speed with counters; select -1 for max speed without counters) -b - desired sending rate in kbit/s -B - desired sending rate in Mbit/s Startsize, Stopsize, Stepsize and Step duration number -s "" in bytes (please note that TCP&UDP checksums are not recalculated!) -p - period between steps in seconds Optional parameters: -c - sequence number of packet stored in pcap file (by default first packet will be sent) -I - time interval to display results (default 1s) Insert predifined pattern into packet: -x - insert pattern "a9b8c7d6" and counter inside last 10 bytes of packet Example: ./packETHcli -i eth1 -m 4 -d 2000 -n 0 -s "100 1500 100" -p 5 -f p1.pcap -m 5 - SEND SEQUENCE OF PACKETS (IDS TEST MODE) Usage: ./packETHcli -m 5 -i -f [options] Required parameters -f -a - innocent traffic for 0, 25% attack for 1, 50% attack for 2, 75% attack for 3, 100% attack for 4> -S " -p -d - delay between packets OR -b OR -B - number of packets to send (0 for infinite) OR -t Example: ./packETHcli -i lo -f sample_snort_rules.txt -B 10 -m 5 -t 60 -S 1000 -a 2 -m 6 - SEND PACKETS IN BURST MODE (CONSTANT BURST) Usage: ./packETHcli -m 4 -i -f [options] Required parameters: Number of packets to send or duration in seconds (only one option possible) -n - number of packets to send or 0 for infinite -t - seconds to transmit Number of packets in burst, delay between packets in burst (us), delay till next burst (us) -L "" Optional parameters: -c - sequence number of packet stored in pcap file (by default first packet will be sent) -I - time interval to display results (default 1s) Insert predifined pattern into packet: -x - insert pattern "a9b8c7d6" and counter inside last 10 bytes of packet Example: ./packETHcli -i eth1 -m 6 -n 0 -L "100 1 100" -f p1.pcap -m 9 - RECEIVER MODE: COUNT PACKETS (FROM packETHcli) Usage: ./packETHcli -m 9 -i [-x OR -o -q -w ] Optional parameter: To count packets with predifined pattern sent by packETHcli use -x option on both sides (sender and receiver): -x - Last 10 bytes in received packets will be checked for pattern "a8b7c7d6" and counter To count packets with custom pattern at custom positon and counter at custom position: -q - where should the pattern be (bytes offset) -w - what should be the pattern to match -o - where should the inceremented counter be (bytes offset) Examples: ./packETHcli -i eth0 ./packETHcli -i eth0 -x ./packETHcli -i eth0 -o 60 -q 70 -w 12345678 packETH-3.0/cli/TODO000066400000000000000000000002211451456143500140750ustar00rootroot00000000000000- Header checksum recalculation in case of size ramp option (changing payload size between steps), the headers checksums are not recalculated packETH-3.0/cli/cli_send.c000066400000000000000000002617161451456143500153530ustar00rootroot00000000000000/* * packETH, packETHcli - ethernet packet generator * By Miha Jemec * Copyright 2018 Miha Jemec * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 3 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define PCAP_MAGIC 0xa1b2c3d4 #ifndef MAX_MTU #define MAX_MTU 9000 #define MAX_MTU_STR "9000" #endif #define MY_PATTERN "a9b8c7d6" //char my_pattern[]="a9b8c7d6"; /* "libpcap" file header (minus magic number). */ struct pcap_hdr { uint32_t magic; /* magic */ uint16_t version_major; /* major version number */ uint16_t version_minor; /* minor version number */ uint32_t thiszone; /* GMT to local correction */ uint32_t sigfigs; /* accuracy of timestamps */ uint32_t snaplen; /* max length of captured packets, in octets */ uint32_t network; /* data link type */ }; /* "libpcap" record header. */ struct pcaprec_hdr { int32_t ts_sec; /* timestamp seconds */ uint32_t ts_usec; /* timestamp microseconds */ uint32_t incl_len; /* number of octets of packet saved in file */ uint32_t orig_len; /* actual length of packet */ }; struct params { int mode; struct sockaddr_ll sa; struct ifreq ifr; struct ifreq ifopts; /* set promiscuous mode */ struct pcap_hdr fh; struct pcaprec_hdr ph; char iftext[20]; int fd; char *ptr; char pkt_temp[10000]; char filename[200]; long long delay; int bw; int BW; long long number; long duration; int period; int attack; char sizeramp[50]; char rateramp[50]; char rateRAMP[50]; char burstargs[50]; int packetsize; int seqnum; int offset_counter; int offset_pattern; char pattern[20]; int my_pattern; int delay_mode; int paramnum; int display_interval; int rate; int size; int startrate; int stoprate; int steprate; int startsize; int stopsize; int stepsize; int ConstantRate; int num_rules; int burst_size; int burst_packets_in_burst; int burst_delay_between_packets; int burst_delay_to_next_burst; int burst_total; } params1; int STOP=0; /* Link-layer type; */ //static unsigned long pcap_link_type = 1; /* Default is DLT-EN10MB */ /* for mode 4, please change them accordingly */ #define MAC_DST_ADDR {0x00, 0x04, 0x23, 0xB7, 0x29, 0xC4} #define MAC_SRC_ADDR {0x00, 0x04, 0x23, 0xB7, 0x21, 0xD8} #define IP_SRC_ADDR 0x0A0A0A0A #define IP_DST_ADDR 0x0B0B0B0B #define TCP_SRC_PORT htons(80) #define TCP_DST_PORT (MyRandom(seed)>>16) extern char **g_content; extern char *null_payload; uint16_t TCPChecksum(uint16_t* buf1, int buf1len, uint16_t* buf2, int buf2len); uint32_t MyRandom(uint64_t *seed); __sum16 ip_fast_csum(const void *iph, unsigned int ihl); char *build_packet(char *buffer, int pktsize, int tot_rules, int *rule_idx, uint64_t *seed, int attack); int readSnortRules(const char *filename); void cleanupRules(int); int send_single_packet(void); int send_constant_stream(void); int send_variable_rate(void); int send_variable_size(void); int send_burst_constant_mode(void); int send_ids_mode(void); int receiver_mode(void); int two(char *interface, long delay, long pkt2send, char *filename, char *sizetmp, int period, char *ratetmp); int four(char *interface, long delay, long pkt2send, char *filename, char *sizetmp, int period, int attack); void usage(void); void usage_1(void); void usage_2(void); void usage_3(void); void usage_4(void); void usage_5(void); void usage_6(void); void usage_9(void); void examples(void); void print_final(struct timeval first, long packets_sent, char *interface_name); void print_intermidiate(long packets_sent, long packets_last_sent, int packet_size, int print_interval); void onexit(int); int interface_setup(void); int read_packet_from_file(char *filename); int function_send(void); int function_send_burst(void); int main(int argc, char *argv[]) { int c; char *p; /* set default values */ params1.mode=1; params1.delay = -2; params1.bw = -2; params1.BW = -2; params1.number = -2; params1.duration = -2; params1.sizeramp[0]='\0'; params1.rateramp[0]='\0'; params1.rateRAMP[0]='\0'; params1.burstargs[0]='\0'; params1.iftext[0]='\0'; params1.period = -2; params1.attack = -2; params1.packetsize = -2; params1.seqnum = -2; params1.pattern[0]='\0'; params1.offset_counter = 0; params1.offset_pattern = 0; params1.my_pattern = 0; params1.delay_mode = 0; params1.paramnum = 0; params1.display_interval = 1; params1.rate = 0; params1.size = 0; params1.startrate = 0; params1.stoprate = 0; params1.steprate = 0; params1.startsize = 0; params1.stopsize = 0; params1.stepsize = 0 ; params1.ConstantRate = 0; params1.num_rules = 0; params1.burst_size = 0; params1.burst_packets_in_burst = 0; params1.burst_delay_between_packets = 0; params1.burst_delay_to_next_burst = 0; params1.burst_total = 0; setlinebuf(stdout); /* Scan CLI parameters */ while ((c = getopt(argc, argv, "heI:i:m:d:D:t:b:B:n:s:S:L:p:f:z:Z:a:c:o:q:w:x")) != -1) { switch(c) { case 'a': { params1.attack = strtol(optarg, &p, 10); if ((params1.attack < 1) || (params1.attack > 4)) { printf("\n Selected amount of attack traffic (-a ) should be between 1-4!\n\n"); exit(0); } params1.attack = (params1.attack < 0 || params1.attack > 4) ? 4 : params1.attack; break; } case 'h': { usage(); usage_1(); usage_2(); usage_3(); usage_4(); usage_5(); usage_6(); usage_9(); exit(0); break; } case 'e': { examples(); break; } case 'i': { strcpy(params1.iftext, optarg); // waht values are allowed break; } case 'I': { params1.display_interval = strtol(optarg, &p, 10); if ((params1.display_interval < 1) || (params1.display_interval > 600)) { printf("\n Diplay interval (-I ) should be between 1s (default) and 600s!\n\n"); exit(0); } break; } case 'm': { params1.mode = strtol(optarg, &p, 10); if ( (params1.mode!=1) && (params1.mode!=2) && (params1.mode!=3) && (params1.mode!=4) && (params1.mode!=5) && (params1.mode!=6) && (params1.mode!=9)) { printf("\n Wrong mode option (-m mode). Allowed 1,2,3,4,5,6 or 9.\n\n"); exit (7); } break; } case 'd': { params1.delay = strtoll(optarg, &p, 10); params1.delay_mode = params1.delay_mode + 1; if ( (params1.delay < -1) || (params1.delay > 100000000)) { printf("\n Delay between packets (-d ) should be between 0 and 100000000ms (100s).\n\n"); exit (7); } break; } case 'D': { params1.delay = strtoll(optarg, &p, 10); params1.delay_mode = params1.delay_mode + 2; if ( (params1.delay < 1) || (params1.delay > 1000000000)) { printf("\n Delay between packets (-D ) should be between 1 and 1000000000ns (1s).\n\n"); exit (7); } break; } case 'b': { params1.bw = strtol(optarg, &p, 10); params1.delay_mode = params1.delay_mode + 4; if ((params1.bw < 1) || (params1.bw > 100000000)) { printf("\n Desired bandwidth (-b ) should be between 1kbit/s and 100Gbit/s!\n\n"); exit(0); } break; } case 'B': { params1.BW = strtol(optarg, &p, 10); params1.delay_mode = params1.delay_mode + 8; if ((params1.BW < 1) || (params1.BW > 100000000)) { printf("\n Desired bandwidth (-B ) should be between 1Mbit/s and 100Gbit/s!\n\n"); exit(0); } break; } case 'c': { params1.seqnum = strtol(optarg, &p, 10); break; } case 'n': { params1.number = strtoll(optarg, &p, 10); if ((params1.number < 0) || (params1.number > 10000000000000000)) { printf("\n Number of packets to send (-n ) out of range!\n\n"); exit(0); } break; } case 't': { params1.duration = strtol(optarg, &p, 10); if ((params1.duration < 1) || (params1.duration > 360000000)) { printf("\n Duration (-t ) out of range!\n\n"); exit(0); } break; } case 'S': { params1.packetsize = strtol(optarg, &p, 10); if ((params1.packetsize < 60) || (params1.packetsize > MAX_MTU)) { printf("\n Packetsize (-S ) out of range!\n\n"); exit(0); } break; } case 'L': { memcpy(params1.burstargs, optarg, 50); break; } case 's': { memcpy(params1.sizeramp, optarg, 20); break; } case 'z': { memcpy(params1.rateramp, optarg, 50); break; } case 'Z': { memcpy(params1.rateRAMP, optarg, 50); break; } case 'p': { params1.period = strtol(optarg, &p, 10); if ((params1.period < 1) || (params1.period > 360000)) { printf("\n Period (-p ) out of range!\n\n"); exit(0); } break; } case 'o': { params1.offset_counter = strtol(optarg, &p, 10); params1.my_pattern = params1.my_pattern + 2; if ((params1.offset_counter < 1) || (params1.offset_counter > MAX_MTU)) { printf("\n Offset counter (-o ) out of range!\n\n"); exit(0); } break; } case 'q': { params1.offset_pattern = strtol(optarg, &p, 10); params1.my_pattern = params1.my_pattern + 4; if ((params1.offset_pattern < 1) || (params1.offset_pattern > MAX_MTU)) { printf("\n Offset pattern (-q ) out of range!\n\n"); exit(0); } break; } case 'w': { memcpy(params1.pattern, optarg, 20); params1.my_pattern = params1.my_pattern + 8; break; } case 'x': { params1.my_pattern = params1.my_pattern + 1; break; } case 'f': { memcpy(params1.filename, optarg, 99); break; } default: { usage(); exit(0); } } } if (argc == 1) { usage(); printf("FOR COMPLETE HELP: ./packETHcli -h\n"); printf("\n"); exit(0); } if (argc == 3) { //just the help params1.paramnum = 1; } else { /* set up the selected interface */ interface_setup(); /* read packet from file in modes 1-4 */ if ((params1.mode < 5) || (params1.mode == 6)) read_packet_from_file(params1.filename); } switch (params1.mode) { case 1: { send_single_packet(); break; } case 2: { send_constant_stream(); break; } case 3: { send_variable_rate(); break; } case 4: { send_variable_size(); break; } case 5: { send_ids_mode(); break; } case 6: { send_burst_constant_mode(); break; } case 9: { receiver_mode(); break; } } return 0; } /*------------------------------------------------------------------------------*/ int receiver_mode(void) { char buf[10000]; ssize_t recv_size = -1, size = 0; int firstround=0, first_packet=0; long packets=0, packets_total=0, my_packets=0, my_total_packets=0; long seconds=0, gap=0, errors=0; //long gapns=0; unsigned int last_value=0, current_value=0; long mbps; float Mbps; //struct sockaddr_ll socket_address; //struct ifreq ifr; //char iftext[30]; struct timeval nowstr, first; //struct timespec first_ns, now_ns; //char pattern[30]; //int offset_counter=0; //int offset_pattern=0; //int my_pattern=0; // print help for this mode if (params1.paramnum == 1) { usage_9(); exit(0); } if ((params1.my_pattern > 1) && (params1.my_pattern != 14)) { printf("\n Wrong pattern parameters. Choose one option:\n\n"); printf(" Predifined pattern: -x \n"); printf(" Custom pattern: -o -q -w \n\n"); exit(7); } else if (( strlen(params1.pattern) > 0) && ((params1.offset_counter == 0) || (params1.offset_pattern == 0))) { printf("\n Option -w requires options -o and -q!\n\n"); exit(7); } else if (( params1.offset_counter != 0) && ((strlen(params1.pattern) == 0) || (params1.offset_pattern == 0))) { printf("\n Option -o requires options -q and -w!\n\n"); exit(7); } else if (( params1.offset_pattern != 0) && ((strlen(params1.pattern) == 0) || (params1.offset_counter == 0))) { printf("\n Option -q requires options -o and -w!\n\n"); exit(7); } else if (strlen(params1.pattern) > 16) { printf("\n Pattern should not be longer than 16 chars!\n\n"); exit(7); } else if ((params1.offset_pattern < 0) || (params1.offset_pattern > 9900)) { printf("\n Offset of the pattern should be between 0 and 9900!\n\n"); exit(7); } else if ((params1.offset_counter < 0) || (params1.offset_counter > 9900)) { printf("\n Offset of the counter should be between 0 and 9900!\n\n"); exit(7); } else if ((strlen(params1.pattern) > 0) && (params1.offset_counter >= params1.offset_pattern) && (params1.offset_counter <= params1.offset_pattern + strlen(params1.pattern))) { printf("\n Counter position offset and pattern position offset should not overlap!\n\n"); exit(7); } else if (params1.attack != -2) { printf("\n -a option not allowed in this mode!\n\n"); exit(7); } if (params1.packetsize != -2) { printf("\n Option -S not allowed in this mode!\n\n"); exit(7); } if (params1.delay_mode != 0) { printf("\n Delay (-d, -D) and bandwidth (-b, -B) options not allowed in this mode!\n\n"); exit(7); } if (params1.number != -2) { printf("\n Option (-n) not allowed in this mode!\n\n"); exit(7); } if (params1.duration != -2) { printf("\n Option (-t) not allowed in this mode!\n\n"); exit(7); } if (params1.display_interval != 1) { printf("\n Option (-I) ignored in this mode!\n\n"); exit(7); } if ((strlen(params1.sizeramp) > 0 ) || (strlen(params1.rateramp) > 0 ) || (strlen(params1.rateRAMP) > 0 ) || (params1.period != -2)) { printf("\n Ramp options not allowed in this mode!\n\n"); exit(7); } if (strlen(params1.filename) > 0) { printf("\n Option -f not allowed in this mode!\n\n"); exit(7); } if (params1.seqnum != -2) { printf("\n Option -c not allowed in this mode!\n\n"); exit(7); } signal(SIGINT, onexit); gettimeofday(&first, NULL); gettimeofday(&nowstr, NULL); while (1) { memset(&buf, 0, sizeof(buf)); recv_size = recv(params1.fd, &buf, sizeof(buf), 0); //we received a packet if (recv_size > 0) { // is -x options enabled? if (params1.my_pattern == 1) { // do the last 10 bytes match if (strncmp(&buf[recv_size-10], MY_PATTERN, 8) == 0) { //now check if the sequence number matches (this is the last byte in payload) current_value = (unsigned int)buf[recv_size-1]; //printf("2 %02x %02x \n", current_value, last_value); //if this is (re)start ignore the first packet value and don't count as error if (first_packet == 0) { first_packet = 1; } else if ((current_value != last_value + 1) && (current_value != last_value - 255)) { //it doesn't match, so increase the error counter errors++; } last_value = current_value; // ok they match, so this is my packet. We can increase the counter my_packets++; my_total_packets++; size = recv_size; } // count all packets also not ours packets++; packets_total++; } // it seems that custom option was choosed else if (params1.offset_pattern > 0) { // does the pattern matches? if (strncmp(&buf[params1.offset_pattern], params1.pattern, strlen(params1.pattern)) == 0) { //now check if the sequence number matches (this is the last byte in payload) current_value = (unsigned int)buf[params1.offset_counter-1]; //if this is (re)start ignore the first packet value and don't count as error if (first_packet == 0) { first_packet = 1; } else if ((current_value != last_value + 1) && (current_value != last_value - 255)) { //it doesn't match, so increase the error counter errors++; } last_value = current_value; // ok they match, so this is my packet. We can increase the counter my_packets++; my_total_packets++; size = recv_size; } packets++; packets_total++; } // we match all packets, so let's count them in case there is no filter else { packets++; packets_total++; } //printf("new packet\n"); //for(i=0; i < recv_size; i++) //{ //printf("%02x ", buf[i]); //} if (firstround == 0) { firstround = 1; } } gettimeofday(&nowstr, NULL); gap = nowstr.tv_sec - first.tv_sec; //clock_gettime(CLOCK_MONOTONIC, &now_ns); //gapns = now_ns.tv_sec - first_ns.tv_sec; //if (gapns > seconds) { if (gap > seconds) { if (firstround == 1) { firstround = 2; errors = 0; } else { mbps = my_packets * size / 125; // 8 bits per byte / 1024 for kbit Mbps = (float)mbps/1000; printf("Elapsed %lds; Interface %s; Matched packets: %ld pps, %.3f Mbit/s, total %ld packets, %ld sequence errors; All packets: %ld pps, total %ld \n", seconds, params1.iftext, my_packets, Mbps, my_total_packets, errors, packets, packets_total); // in case sender stops trasmitting and later restarts, we don't want to see this as an error if (my_packets == 0) first_packet = 0; //some counters update seconds++; packets=0; my_packets=0; } if (STOP == 1) break; } } printf("----\n"); printf("Received %ld my packets and %ld all packets on inteface %s\n", my_total_packets, packets_total, params1.iftext); printf("----\n"); return 0; } /*------------------------------------------------------------------------------*/ int send_single_packet(void) { int c; if (params1.paramnum == 1) { usage_1(); exit(0); } if ((params1.delay != -2 ) || (params1.bw != -2) || (params1.BW != -2) || (params1.number != -2) || (params1.duration != -2) || (params1.packetsize != -2) || (params1.attack != -2)) { printf("\n No special options allowed in this mode! You can only select interface (-i), filename (-f) and packet number (-c)!\n\n"); return 1; } if ((strlen(params1.sizeramp) > 0) || (strlen(params1.rateramp) > 0 ) || (strlen(params1.rateRAMP) > 0 ) || (params1.period != -2) || (params1.my_pattern > 0)) { printf("\n No special options allowed in this mode! You can only select interface (-i), filename (-f) and packet number (-c)\n\n"); return 1; } c = sendto(params1.fd, params1.ptr, params1.ph.incl_len, 0, (struct sockaddr *)¶ms1.sa, sizeof (params1.sa)); printf("\nSent 1 packet (%d bytes) on interface %s\n\n", c, params1.iftext); fflush(stdout); exit(1); } /*------------------------------------------------------------------------------*/ /* send one packet more than once */ int send_constant_stream() { // print help for this mode if (params1.paramnum == 1) { usage_2(); exit(0); } //check if the options are ok if ((params1.number == -2) && (params1.duration == -2)) { printf("\n Missing number of packets to send or time in seconds to transmit.\n Specify -n or -t .\n"); printf(" Set -n 0 to send infinite number of packets\n\n"); exit(7); } else if ((params1.number != -2) && (params1.duration != -2)) { printf("\n Only one option allowed at a time (-n or -t). \n Specify -n or -t !\n\n"); exit(7); } if ((params1.delay_mode != 1) && (params1.delay_mode != 2) && (params1.delay_mode != 4) && (params1.delay_mode != 8)) { printf("\n Wrong or missing delay between packets or bandwidth parameter.\n\n Specify one of the following options:\n"); printf(" -D - delay between packets in nanoseconds\n"); printf(" -d - delay between packets in microseconds\n"); printf(" -d -1 - maximum speed without counters\n"); printf(" -d 0 - maximum speed with counters\n"); printf(" -b - desired bandwidth in kbit/s\n"); printf(" -B - desired bandwidth in Mbit/s\n\n"); exit(7); } if (params1.delay_mode == 1) params1.delay = params1.delay * 1000; else if (params1.delay_mode == 2) params1.delay = params1.delay; else if (params1.delay_mode == 4) params1.delay = (long long)(1000000 * (long long)params1.ph.incl_len * 8 / params1.bw); else if (params1.delay_mode == 8) params1.delay = (long long)(1000 * (long long)params1.ph.incl_len * 8 / params1.BW); if ((params1.delay == -1000) && (params1.number != 0)) { printf("\n Option -d -1 also requires option -n 0 (infinite numbers of packest to send)\n\n"); exit(7); } if ((params1.number == -2) && (params1.duration > 0)) { params1.number = 0; } if (params1.packetsize != -2) { printf("\n Option -S not allowed in this mode\n\n"); exit(7); } if ((strlen(params1.sizeramp) > 0 ) || (strlen(params1.rateramp) > 0 ) || (strlen(params1.rateRAMP) > 0 ) || (params1.period != -2)) { printf("\n Ramp options not allowed in this mode\n\n"); exit(7); } if (params1.delay > 999000000) { printf ("\n Warning! Rate is below 1pps, statistics will be displayed only when a packet will be sent.\n\n"); } if ((params1.my_pattern > 1) && (params1.my_pattern != 14)) { printf("\n Wrong pattern parameters. Choose one option:\n\n"); printf(" Predifined pattern: -x \n"); printf(" Custom pattern: -o -q -w \n\n"); exit(7); } else if (strlen(params1.pattern) > 16) { printf("\n Pattern should not be longer than 16 chars!\n\n"); exit(7); } else if ((params1.offset_pattern < 0) || (params1.offset_pattern+strlen(params1.pattern) > params1.ph.incl_len)) { printf("\n Offset of the pattern is outside the packet size!\n\n"); exit(7); } else if ((params1.offset_counter < 0) || (params1.offset_counter > params1.ph.incl_len)) { printf("\n Offset of the counter is outside the packet size!\n\n"); exit(7); } else if ((params1.my_pattern > 1) && (params1.offset_counter >= params1.offset_pattern) && (params1.offset_counter <= params1.offset_pattern + strlen(params1.pattern))) { printf("\n Counter position and pattern position should not overlap!\n\n"); exit(7); } else if ((params1.delay == -1) && ((params1.offset_counter !=0) || (params1.offset_pattern != 0) || (strlen(params1.pattern) >0 ))) { printf("\n Option -x OR -o -q -w are not compatible with high speed -d -1 mode!\n\n"); exit(7); } if (params1.attack != -2) { printf("\n -a option not allowed in this mode!\n\n"); exit(7); } // if we insert my_pattern, this will be inserted from last 10 to last 2 bytes. Last 2 bytes themselves are reserved for counter if (params1.my_pattern == 1) { memcpy(params1.ptr+params1.ph.incl_len-10, MY_PATTERN, 8); memset(params1.ptr+params1.ph.incl_len-2, 0, 1); memset(params1.ptr+params1.ph.incl_len-1, 1, 1); } // in case we use custom pattern and offset if(params1.my_pattern > 1) { memcpy(params1.ptr+params1.offset_pattern, params1.pattern, strlen(params1.pattern)); } params1.size = params1.ph.incl_len; //everything is set up, lets start sending function_send(); return 1; } /*------------------------------------------------------------------------------*/ int send_variable_rate() { int count, flag = 0; int Mega = 0; int wordcount = 0; //char *ptr; char *p; char tmp8[50]; char tmp7[20]; char ch; if (params1.paramnum == 1) { usage_3(); exit(0); } //check if the options are ok if (params1.delay_mode != 0) { printf("\n Delay (-d, -D) and bandwidth (-b, -B) options not allowed in this mode. Rate is specified with -z or -Zoption!\n\n"); exit(7); } if ((params1.number == -2) && (params1.duration == -2)) { printf("\n Missing number of packets to send or time in seconds to transmit.\n Specify -n or -t .\n"); printf(" Set -n 0 to send until the ramp finishes. \n\n"); exit(7); } else if ((params1.number != -2) && (params1.duration != -2)) { printf("\n Only one option allowed at a time (-n or -t). \n Specify -n or -t !\n\n"); printf(" Set -n 0 to send until the ramp finishes. \n\n"); exit(7); } if ((params1.number == -2) && (params1.duration > 0)) { params1.number = 0; } if (params1.packetsize != -2) { printf("\n Option -S not allowed in this mode\n\n"); exit(7); } if (params1.attack != -2) { printf("\n -a option not allowed in this mode!\n\n"); exit(7); } if (strlen(params1.sizeramp) > 0 ) { printf("\n Option -s not allowed in this mode. Packet size can not be changed.\n\n"); exit(7); } if (( strlen(params1.rateramp) == 0 ) && (strlen(params1.rateRAMP) == 0 )) { printf("\n Did you specify rate with -z option (in kbit/s) or -Z (in Mbit/s)? \n And don't forget the quotation marks! (for example: -z \"100 1000 200\")\n\n"); exit(7); } if (( strlen(params1.rateramp) > 0 ) && (strlen(params1.rateRAMP) > 0 )) { printf("\n Only one option allowed at a time: -z (kbit/s) or -Z (Mbit/s)!\"\n\n"); exit(7); } if (params1.period == -2) { printf("\n Did you specify duration of one step (in seconds) with -p option?\n\n"); exit(7); } if ((params1.my_pattern > 1) && (params1.my_pattern != 14)) { printf("\n Wrong pattern parameters. Choose one option:\n\n"); printf(" Predifined pattern: -x \n"); printf(" Custom pattern: -o -q -w \n\n"); exit(7); } else if (strlen(params1.pattern) > 16) { printf("\n Pattern should not be longer than 16 chars!\n\n"); exit(7); } else if ((params1.offset_pattern < 0) || (params1.offset_pattern+strlen(params1.pattern) > params1.ph.incl_len)) { printf("\n Offset of the pattern is outside the packet size!\n\n"); exit(7); } else if ((params1.offset_counter < 0) || (params1.offset_counter > params1.ph.incl_len)) { printf("\n Offset of the counter is outside the packet size!\n\n"); exit(7); } else if ((params1.my_pattern > 1) && (params1.offset_counter >= params1.offset_pattern) && (params1.offset_counter <= params1.offset_pattern + strlen(params1.pattern))) { printf("\n Counter position and pattern position should not overlap!\n\n"); exit(7); } params1.size = params1.ph.incl_len; if (strlen(params1.rateramp) > 0 ) { memcpy(tmp8, params1.rateramp, 50); Mega = 0; } else if (strlen(params1.rateRAMP) > 0) { memcpy(tmp8, params1.rateRAMP, 50); Mega = 1; } else { printf("\n Shouldn't be here...\n\n"); exit(7); } for (count = 0; count <= strlen(tmp8); count ++){ ch = tmp8[count]; if((isblank(ch)) || (tmp8[count] == '\0')){ memcpy(tmp7, &tmp8[flag],count-flag); tmp7[count-flag]='\0'; if (wordcount==0) params1.startrate = strtol(tmp7, &p, 10); else if (wordcount ==1) params1.stoprate = strtol(tmp7, &p, 10); else if (wordcount ==2) params1.steprate = strtol(tmp7, &p, 10); wordcount += 1; flag = count; } } if (Mega == 1) { params1.startrate = params1.startrate * 1000; params1.stoprate = params1.stoprate * 1000; params1.steprate = params1.steprate * 1000; } //we allow also the decreasing ramp if (params1.startrate > params1.stoprate) { //printf("\nstartrate is greater than stoprate (or did you forget the quotation marks?)\n\n"); //exit(7); params1.steprate = 0 - params1.steprate; } if ((params1.startrate < 1) || (params1.stoprate < 1)) { printf("\nstartrate and stoprate must be >= 1kbit/s\n\n"); exit(7); } if ((params1.stoprate > 100000000) || (params1.stoprate > 100000000)) { printf("\nstartrate and stoprate must be <= 100Gbit/s\n\n"); exit(7); } if (1000 * params1.size * 8 / params1.startrate > 999000) { printf ("startrate is to low (less than 1pps)\n\n"); exit(7); } if (1000 * params1.size * 8 / params1.stoprate > 999000) { printf ("stoprate is to low (less than 1pps)\n\n"); exit(7); } params1.delay = (long long)(1000000 * (long long)params1.size * 8 / params1.startrate); params1.rate = params1.startrate; // if we inser my_pattern, this will be inserted from last 10 to last 2 bytes. Last 2 bytes themselves are reserved for counter if (params1.my_pattern == 1) { memcpy(params1.ptr+params1.ph.incl_len-10, MY_PATTERN, 8); memset(params1.ptr+params1.ph.incl_len-2, 0, 1); memset(params1.ptr+params1.ph.incl_len-1, 1, 1); } // in case we use custom pattern and offset if(params1.my_pattern > 1) { memcpy(params1.ptr+params1.offset_pattern, params1.pattern, strlen(params1.pattern)); } function_send(); return 1; } /*------------------------------------------------------------------------------*/ int send_variable_size() { int count, flag = 0; int wordcount = 0; char *p; char tmp7[20]; char ch; if (params1.paramnum == 1) { usage_4(); exit(0); } //check if the options are ok if ((params1.delay_mode != 1) && (params1.delay_mode != 2) && (params1.delay_mode != 4) && (params1.delay_mode != 8)) { printf("\n Wrong or missing delay between packets or bandwidth parameter.\n\n Specify one of the following options:\n"); printf(" -D - delay between packets in nanoseconds\n"); printf(" -d - delay between packets in microseconds\n"); printf(" -d 0 - maximum speed with counters\n"); printf(" -b - desired bandwidth in kbit/s\n"); printf(" -B - desired bandwidth in Mbit/s\n\n"); exit(7); } else if ((params1.delay_mode == 1) && (params1.delay == -1)) { printf("\n Option -d -1 not allowed with this mode\n\n"); exit(7); } if (params1.delay_mode == 1) params1.delay = params1.delay * 1000; else if (params1.delay_mode == 2) params1.delay = params1.delay; else if (params1.delay_mode == 4) params1.delay = (long long)(1000000 * (long long)params1.ph.incl_len * 8 / params1.bw); else if (params1.delay_mode == 8) params1.delay = (long long)(1000 * (long long)params1.ph.incl_len * 8 / params1.BW); if (params1.delay > 999000000) { printf ("\n Warning! Rate is below 1pps, statistics will be displayed only when a packet will be sent.\n\n"); } if ((params1.number == -2) && (params1.duration == -2)) { printf("\n Missing number of packets to send or time in seconds to transmit.\n Specify -n or -t .\n"); printf(" Set -n 0 to send until the ramp finishes. \n\n"); exit(7); } else if ((params1.number != -2) && (params1.duration != -2)) { printf("\n Only one option allowed at a time (-n or -t). \n Specify -n or -t !\n\n"); printf(" Set -n 0 to send until the ramp finishes. \n\n"); exit(7); } if ((params1.number == -2) && (params1.duration > 0)) { params1.number = 0; } if (params1.packetsize != -2) { printf("\n Option -S not allowed in this mode\n\n"); exit(7); } if (params1.attack != -2) { printf("\n -a option not allowed in this mode!\n\n"); exit(7); } if (strlen(params1.rateramp) > 0 ) { printf("\n Options -z and -Z are not allowed in this mode.\n\n"); exit(7); } if (strlen(params1.sizeramp) ==0 ) { printf("\n Did you specify size ramp values with -s option (in bytes)? \n And don't forget the quotation marks! (for example: -s \"100 1000 200\")\n\n"); exit(7); } if (params1.period == -2) { printf("\n Did you specify duration of one step (in seconds) with -p option?\n\n"); exit(7); } for (count = 0; count <= strlen(params1.sizeramp); count ++){ ch = params1.sizeramp[count]; if((isblank(ch)) || (params1.sizeramp[count] == '\0')){ memcpy(tmp7, ¶ms1.sizeramp[flag],count-flag); tmp7[count-flag]='\0'; if (wordcount==0) params1.startsize = strtol(tmp7, &p, 10); else if (wordcount ==1) params1.stopsize = strtol(tmp7, &p, 10); else if (wordcount ==2) params1.stepsize = strtol(tmp7, &p, 10); wordcount += 1; flag = count; } } if (params1.startsize > params1.stopsize) { printf("\nstartsize is greater than stopzize (or did you forget the quotation marks?)\n\n"); return 1; } if (params1.startsize < 60) { printf("\nstartsize must be >60\n\n"); return 1; } if (params1.stopsize > MAX_MTU) { printf("\nstopsize must be <" MAX_MTU_STR "\n\n"); return 1; } if (params1.ph.incl_len < params1.stopsize) { printf("\nPacket loaded from pcap file is shorter than stopsize!\n\n"); return 1; } if ((params1.my_pattern > 1) && (params1.my_pattern != 14)) { printf("\n Wrong pattern parameters. Choose one option:\n\n"); printf(" Predifined pattern: -x \n"); printf(" Custom pattern: -o -q -w \n\n"); exit(7); } else if (strlen(params1.pattern) > 16) { printf("\n Pattern should not be longer than 16 chars!\n\n"); exit(7); } else if ((params1.offset_pattern < 0) || (params1.offset_pattern+strlen(params1.pattern) > params1.startsize)) { printf("\n Offset of the pattern is outside of the start packet size!\n\n"); exit(7); } else if ((params1.offset_counter < 0) || (params1.offset_counter > params1.startsize)) { printf("\n Offset of the counter is outside the start packet size!\n\n"); exit(7); } else if ((params1.my_pattern > 1) && (params1.offset_counter >= params1.offset_pattern) && (params1.offset_counter <= params1.offset_pattern + strlen(params1.pattern))) { printf("\n Counter position and pattern position should not overlap!\n\n"); exit(7); } params1.size = params1.startsize; if (params1.delay_mode == 4) { params1.delay = (long long)(1000000 * (long long)params1.size * 8 / params1.bw); params1.ConstantRate = 1; params1.rate = params1.bw; } else if (params1.delay_mode == 8) { params1.delay = (long long)(1000 * (long long)params1.size * 8 / params1.BW); params1.ConstantRate = 1; params1.rate = params1.BW*1000; } else params1.ConstantRate = 0; // if we inser my_pattern, this will be inserted from last 10 to last 2 bytes. Last 2 bytes themselves are reserved for counter if (params1.my_pattern == 1) { memcpy(params1.ptr+params1.size-10, MY_PATTERN, 8); memset(params1.ptr+params1.size-2, 0, 1); memset(params1.ptr+params1.size-1, 1, 1); } // in case we use custom pattern and offset if(params1.my_pattern > 1) { memcpy(params1.ptr+params1.offset_pattern, params1.pattern, strlen(params1.pattern)); } function_send(); return 1; } /*------------------------------------------------------------------------------*/ int send_burst_constant_mode() { int count, flag = 0; int wordcount = 0; char *p; char tmp7[20]; char ch; if (params1.paramnum == 1) { usage_6(); exit(0); } //check if the options are ok if (params1.delay_mode != 0) { printf("\n Option -d not allowed with this mode\n\n"); exit(7); } if ((params1.number == -2) && (params1.duration == -2)) { printf("\n Missing number of packets to send or time in seconds to transmit.\n Specify -n or -t .\n"); printf(" Set -n 0 to send infinite number of packets. \n\n"); exit(7); } else if ((params1.number != -2) && (params1.duration != -2)) { printf("\n Only one option allowed at a time (-n or -t). \n Specify -n or -t !\n\n"); printf(" Set -n 0 to send infinite number of packets. \n\n"); exit(7); } if ((params1.number == -2) && (params1.duration > 0)) { params1.number = 0; } if (params1.packetsize != -2) { printf("\n Option -S not allowed in this mode\n\n"); exit(7); } if (params1.attack != -2) { printf("\n -a option not allowed in this mode!\n\n"); exit(7); } if ((strlen(params1.sizeramp) > 0 ) || (strlen(params1.rateramp) > 0 ) || (strlen(params1.rateRAMP) > 0 ) || (params1.period != -2)) { printf("\n Ramp options not allowed in this mode\n\n"); exit(7); } if (strlen(params1.burstargs) ==0 ) { printf("\n Did you specify burst arguments with -L option? \n And don't forget the quotation marks! (for example: -L \"100 1000 200\")\n\n"); exit(7); } //extract the number of packets in burst, delay between packets and delay between bursts //last 2 are multiplied by 1000 because we input the values in ms not ns for (count = 0; count <= strlen(params1.burstargs); count ++){ ch = params1.burstargs[count]; if((isblank(ch)) || (params1.burstargs[count] == '\0')){ memcpy(tmp7, ¶ms1.burstargs[flag],count-flag); tmp7[count-flag]='\0'; if (wordcount==0) params1.burst_packets_in_burst = strtol(tmp7, &p, 10) ; else if (wordcount ==1) params1.burst_delay_between_packets = strtol(tmp7, &p, 10) * 1000; else if (wordcount ==2) params1.burst_delay_to_next_burst = strtol(tmp7, &p, 10) * 1000; wordcount += 1; flag = count; } } if (params1.burst_delay_between_packets > 999000000) { printf ("\n Warning! Rate is below 1pps, statistics will be displayed only when a packet will be sent.\n\n"); } if (params1.burst_delay_to_next_burst > 999000000) { printf ("\n Warning! Rate is below 1pps, statistics will be displayed only when a packet will be sent.\n\n"); } /*if (params1.startsize > params1.stopsize) { printf("\nstartsize is greater than stopzize (or did you forget the quotation marks?)\n\n"); return 1; } if (params1.startsize < 60) { printf("\nstartsize must be >60\n\n"); return 1; } if (params1.stopsize > MAX_MTU) { printf("\nstopsize must be <" MAX_MTU_STR "\n\n"); return 1; } if (params1.ph.incl_len < params1.stopsize) { printf("\nPacket loaded from pcap file is shorter than stopsize!\n\n"); return 1; }*/ if ((params1.my_pattern > 1) && (params1.my_pattern != 14)) { printf("\n Wrong pattern parameters. Choose one option:\n\n"); printf(" Predifined pattern: -x \n"); printf(" Custom pattern: -o -q -w \n\n"); exit(7); } else if (strlen(params1.pattern) > 16) { printf("\n Pattern should not be longer than 16 chars!\n\n"); exit(7); } else if ((params1.offset_pattern < 0) || (params1.offset_pattern+strlen(params1.pattern) > params1.ph.incl_len)) { printf("\n Offset of the pattern is outside the packet size!\n\n"); exit(7); } else if ((params1.offset_counter < 0) || (params1.offset_counter > params1.ph.incl_len)) { printf("\n Offset of the counter is outside the packet size!\n\n"); exit(7); } else if ((params1.my_pattern > 1) && (params1.offset_counter >= params1.offset_pattern) && (params1.offset_counter <= params1.offset_pattern + strlen(params1.pattern))) { printf("\n Counter position and pattern position should not overlap!\n\n"); exit(7); } // if we insert my_pattern, this will be inserted from last 10 to last 2 bytes. Last 2 bytes themselves are reserved for counter if (params1.my_pattern == 1) { memcpy(params1.ptr+params1.ph.incl_len-10, MY_PATTERN, 8); memset(params1.ptr+params1.ph.incl_len-2, 0, 1); memset(params1.ptr+params1.ph.incl_len-1, 1, 1); } // in case we use custom pattern and offset if(params1.my_pattern > 1) { memcpy(params1.ptr+params1.offset_pattern, params1.pattern, strlen(params1.pattern)); } params1.size = params1.ph.incl_len; function_send_burst(); return 1; } /*------------------------------------------------------------------------------*/ int function_send_burst() { int c; long sentnumber = 0, lastnumber = 0; long long gap=0, gap2=0, gap2s=0, gap3s=0; struct timeval first; struct timespec first_ns, now_ns, last_ns, last2s_ns, last3s_ns; long burst_sent = 0; /* this is the time we started */ gettimeofday(&first, NULL); clock_gettime(CLOCK_MONOTONIC, &first_ns); clock_gettime(CLOCK_MONOTONIC, &now_ns); clock_gettime(CLOCK_MONOTONIC, &last_ns); clock_gettime(CLOCK_MONOTONIC, &last2s_ns); clock_gettime(CLOCK_MONOTONIC, &last3s_ns); /* to send first packet immedialtelly */ gap = 0; /*-----------------------------------------------------------------------------------------------*/ for(; params1.number == 0 ? 1 : sentnumber < params1.number; ) { clock_gettime(CLOCK_MONOTONIC, &now_ns); gap = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last_ns.tv_sec*1000000000 + last_ns.tv_nsec); gap2 = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (first_ns.tv_sec*1000000000 + first_ns.tv_nsec); gap2s = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last2s_ns.tv_sec*1000000000 + last2s_ns.tv_nsec); gap3s = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last3s_ns.tv_sec*1000000000 + last3s_ns.tv_nsec); if (burst_sent < params1.burst_packets_in_burst) { if (gap < params1.burst_delay_between_packets) continue; } else { if (gap < params1.burst_delay_to_next_burst) continue; else burst_sent = 0; } //send! c = sendto(params1.fd, params1.ptr, params1.size, 0, (struct sockaddr *)¶ms1.sa, sizeof (params1.sa)); last_ns.tv_sec = now_ns.tv_sec; last_ns.tv_nsec = now_ns.tv_nsec; gap = 0; if (c > 0) { sentnumber++; burst_sent++; if (params1.my_pattern == 1) (*(params1.ptr+params1.ph.incl_len-1))++; else if (params1.my_pattern > 1) (*(params1.ptr+params1.offset_counter-1))++; } /* every display interval we print some output */ if (gap2s > ((long long)params1.display_interval*1000000000)) { print_intermidiate(sentnumber, lastnumber, params1.size, params1.display_interval); lastnumber = sentnumber; last2s_ns.tv_sec = now_ns.tv_sec; last2s_ns.tv_nsec = now_ns.tv_nsec; } //exit if time has elapsed we exit if ((params1.duration > 0) && (gap2 >= (long long)(params1.duration*1000000000))) break; //} // every second we check if we need to adjust size, rate or both if (gap3s > 1000000000) { //reset timer last3s_ns.tv_sec = now_ns.tv_sec; last3s_ns.tv_nsec = now_ns.tv_nsec; //if we need do the rate (bandwidth) ramp mode /*if (params1.steprate != 0) { if ( (period2 > (params1.period-2)) && (params1.period>0) ) { params1.rate = params1.rate + params1.steprate; if ((params1.steprate > 0) && (params1.rate > params1.stoprate)) { break; } else if ((params1.steprate < 0) && (params1.rate < params1.stoprate)) { break; } params1.delay = (long long)(params1.rate*1000) / (params1.size*8); params1.delay = 1000000000 / params1.delay; period2 = 0; } else period2++; }*/ } } print_final(first, sentnumber, params1.iftext); return 1; } /*------------------------------------------------------------------------------*/ int function_send() { int c; int period2 = 0; long sentnumber = 0, lastnumber = 0; long long gap=0, gap2=0, gap2s=0, gap3s=0; struct timeval first; struct timespec first_ns, now_ns, last_ns, last2s_ns, last3s_ns; /* this is the time we started */ gettimeofday(&first, NULL); clock_gettime(CLOCK_MONOTONIC, &first_ns); clock_gettime(CLOCK_MONOTONIC, &now_ns); clock_gettime(CLOCK_MONOTONIC, &last_ns); clock_gettime(CLOCK_MONOTONIC, &last2s_ns); clock_gettime(CLOCK_MONOTONIC, &last3s_ns); /* to send first packet immedialtelly */ gap = 0; /*-----------------------------------------------------------------------------------------------*/ //if the -1 for delay was choosed, just send as fast as possible, no output, no counters, no pattern, nothing if ((params1.delay==-1000) && (params1.number==0)) { for(;;) c = sendto(params1.fd, params1.ptr, params1.size, 0, (struct sockaddr *)¶ms1.sa, sizeof (params1.sa)); } /* with counters and delay between packets set */ else { for(; params1.number == 0 ? 1 : sentnumber < params1.number; ) { clock_gettime(CLOCK_MONOTONIC, &now_ns); gap = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last_ns.tv_sec*1000000000 + last_ns.tv_nsec); gap2 = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (first_ns.tv_sec*1000000000 + first_ns.tv_nsec); gap2s = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last2s_ns.tv_sec*1000000000 + last2s_ns.tv_nsec); gap3s = (now_ns.tv_sec*1000000000 + now_ns.tv_nsec) - (last3s_ns.tv_sec*1000000000 + last3s_ns.tv_nsec); if (gap < params1.delay) continue; //send! c = sendto(params1.fd, params1.ptr, params1.size, 0, (struct sockaddr *)¶ms1.sa, sizeof (params1.sa)); last_ns.tv_sec = now_ns.tv_sec; last_ns.tv_nsec = now_ns.tv_nsec; gap = 0; if (c > 0) { sentnumber++; if (params1.my_pattern == 1) (*(params1.ptr+params1.ph.incl_len-1))++; else if (params1.my_pattern > 1) (*(params1.ptr+params1.offset_counter-1))++; } /* every display interval we print some output */ if (gap2s > ((long long)params1.display_interval*1000000000)) { print_intermidiate(sentnumber, lastnumber, params1.size, params1.display_interval); lastnumber = sentnumber; last2s_ns.tv_sec = now_ns.tv_sec; last2s_ns.tv_nsec = now_ns.tv_nsec; } //exit if time has elapsed we exit if ((params1.duration > 0) && (gap2 >= (long long)(params1.duration*1000000000))) break; //} // every second we check if we need to adjust size, rate or both if (gap3s > 1000000000) { //reset timer last3s_ns.tv_sec = now_ns.tv_sec; last3s_ns.tv_nsec = now_ns.tv_nsec; //if we need do the rate (bandwidth) ramp mode if (params1.steprate != 0) { if ( (period2 > (params1.period-2)) && (params1.period>0) ) { params1.rate = params1.rate + params1.steprate; if ((params1.steprate > 0) && (params1.rate > params1.stoprate)) { break; } else if ((params1.steprate < 0) && (params1.rate < params1.stoprate)) { break; } params1.delay = (long long)(params1.rate*1000) / (params1.size*8); params1.delay = 1000000000 / params1.delay; period2 = 0; } else period2++; } //if we do the size ramp mode else if (params1.stepsize > 0) { if ( (period2 > (params1.period-2)) && (params1.period>0) ) { params1.size = params1.size + params1.stepsize; if (params1.size > params1.stopsize) { break; } period2 = 0; if (params1.my_pattern == 1) { memcpy(params1.ptr+params1.size-1, params1.ptr+params1.size-params1.stepsize-1, 1); memcpy(params1.ptr+params1.size-10, MY_PATTERN, 8); } } else period2++; } //if we want to keep the rate the same, we need to change the delay if (params1.ConstantRate == 1) { params1.delay = (long long)(1000 * params1.rate) / (params1.size*8); params1.delay = 1000000000 / params1.delay; } } } print_final(first, sentnumber, params1.iftext); return 1; } return 1; } /*------------------------------------------------------------------------------*/ int interface_setup() { int i=0; if (strlen(params1.iftext) == 0 ) { printf("\n You need to specify output interface (-i interface_name)\n\n"); exit (7); } /* do we have the rights to do that? */ if (getuid() && geteuid()) { //printf("Sorry but need the su rights!\n"); printf("\nSorry but need the su rights!\n\n"); exit (7); } /* open socket in raw mode */ params1.fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (params1.fd == -1) { //printf("Error: Could not open socket!\n"); printf("\nError: Could not open socket!\n\n"); exit(7); } // form mode 9 (receiver) - put the socket in non-blocking mode: if (params1.mode == 9) { if(fcntl(params1.fd, F_SETFL, fcntl(params1.fd, F_GETFL) | O_NONBLOCK) < 0) { printf("socket non-blocking failed\n"); exit (7); } } /* which interface would you like to use? */ memset(¶ms1.ifr, 0, sizeof(params1.ifr)); memcpy (params1.ifr.ifr_name, params1.iftext, sizeof(params1.ifr.ifr_name) - 1); params1.ifr.ifr_name[sizeof(params1.ifr.ifr_name)-1] = '\0'; /* does the interface exists? */ if (ioctl(params1.fd, SIOCGIFINDEX, ¶ms1.ifr) == -1) { printf("\nNo such interface: %s\n\n", params1.iftext); close(params1.fd); exit(7); } /* is the interface up? */ ioctl(params1.fd, SIOCGIFFLAGS, ¶ms1.ifr); if ( (params1.ifr.ifr_flags & IFF_UP) == 0) { printf("\nInterface %s is down\n\n", params1.iftext); close(params1.fd); exit(7); } if (params1.mode == 9) { /* Set interface to promiscuous mode - do we need to do this every time? */ memcpy(params1.ifopts.ifr_name, params1.iftext, sizeof(params1.ifopts.ifr_name)-1); ioctl(params1.fd, SIOCGIFFLAGS, ¶ms1.ifopts); params1.ifopts.ifr_flags |= IFF_PROMISC; ioctl(params1.fd, SIOCSIFFLAGS, ¶ms1.ifopts); } /* just write in the structure again */ ioctl(params1.fd, SIOCGIFINDEX, ¶ms1.ifr); /* well we need this to work, don't ask me what is it about */ memset(¶ms1.sa, 0, sizeof (params1.sa)); params1.sa.sll_family = AF_PACKET; params1.sa.sll_ifindex = params1.ifr.ifr_ifindex; params1.sa.sll_protocol = htons(ETH_P_ALL); /* for mode 9 (receiver) - you need this to receive from the right interface */ if (params1.mode == 9) { i = bind(params1.fd, (struct sockaddr*)¶ms1.sa, sizeof(params1.sa)); if (i == -1) { perror("Interface bind error"); exit (0); } } return 1; } /*------------------------------------------------------------------------------*/ int read_packet_from_file(char *filename) { FILE *file_p; int freads; //int last=0 int i=0; //char *ptr2; if((file_p = fopen(filename, "r")) == NULL) { printf("\nCan not open file for reading. Did you specify pcap file with option -f ?\n\n"); exit(7); } /* first we read the pcap file header */ freads = fread(params1.pkt_temp, sizeof(params1.fh), 1, file_p); /* if EOF, exit */ if (freads == 0) { printf("\nPcap file not correct?\n\n"); exit(7); } memcpy(¶ms1.fh, params1.pkt_temp, 24); /* if magic number in NOK, exit */ if (params1.fh.magic != PCAP_MAGIC) { printf("\nWrong pcap file format?\n\n"); exit(7); } // we can select which packet we want to send if (params1.seqnum == -2) params1.seqnum = 1; for (i=0; i < params1.seqnum; i++) { /* next the pcap packet header */ freads = fread(params1.pkt_temp, sizeof(params1.ph), 1, file_p); /* if EOF, exit */ if (freads == 0) { printf("\nWrong sequence number? Or wrong pcap file format?\n\n"); exit(7); } /* copy the 16 bytes into ph structure */ memcpy(¶ms1.ph, params1.pkt_temp, 16); params1.ptr = params1.pkt_temp + sizeof(params1.ph); /* and the packet itself, but only up to the capture length */ freads = fread(params1.ptr, params1.ph.incl_len, 1, file_p); /* if EOF, exit */ if (freads == 0) { printf("\nWrong sequence number? Or wrong pcap file format?\n\n"); exit(7); } } fclose(file_p); return 1; } /*------------------------------------------------------------------------------*/ void print_intermidiate(long packets_sent, long packets_last_sent, int packet_size, int print_interval) { long mbps, packets_pps, link; float Mbps, Link; packets_pps = (packets_sent - packets_last_sent) / print_interval; mbps = packets_pps * packet_size / 125; // 8 bits per byte / 1024 for kbit Mbps = (float)mbps/1000; link = packets_pps * (packet_size + 24) / 125; /* +12 bytes for interframe gap time and 12 for preamble, sfd and checksum */ Link = (float)link/1000; printf(" Sent %ld packets on %s; %d bytes packet length; %ld packets/s; %.3f Mbit/s data rate; %.3f Mbit/s link utilization\n", packets_sent, params1.iftext, packet_size, packets_pps, Mbps, Link); fflush(stdout); } /*------------------------------------------------------------------------------*/ void print_final(struct timeval first, long packets_sent, char *interface_name) { struct timeval now; long duration; float duration_s; gettimeofday(&now, NULL); duration = (now.tv_sec*1000000 + now.tv_usec) - (first.tv_sec*1000000 + first.tv_usec); duration_s = (float)duration/1000000; printf("------------------------------------------------\n"); printf(" Sent %ld packets on %s in %f second(s). \n", packets_sent, interface_name, duration_s); printf("------------------------------------------------\n"); fflush(stdout); close(params1.fd); if (params1.mode == 5) cleanupRules(params1.num_rules); exit(1); } /*------------------------------------------------------------------------------*/ void onexit(int signum) { (void)signum; //printf(" ... Exiting\n"); STOP = 1; close(params1.fd); } /*------------------------------------------------------------------------------*/ inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) { unsigned int sum; asm(" movl (%1), %0\n" " subl $4, %2\n" " jbe 2f\n" " addl 4(%1), %0\n" " adcl 8(%1), %0\n" " adcl 12(%1), %0\n" "1: adcl 16(%1), %0\n" " lea 4(%1), %1\n" " decl %2\n" " jne 1b\n" " adcl $0, %0\n" " movl %0, %2\n" " shrl $16, %0\n" " addw %w2, %w0\n" " adcl $0, %0\n" " notl %0\n" "2:" /* Since the input registers which are loaded with iph and ih are modified, we must also specify them as outputs, or gcc will assume they contain their original values. */ : "=r" (sum), "=r" (iph), "=r" (ihl) : "1" (iph), "2" (ihl) : "memory"); return (__sum16)sum; } /*------------------------------------------------------------------------------*/ uint16_t TCPChecksum(uint16_t* buf1, int buf1len, uint16_t* buf2, int buf2len) { uint32_t sum = 0; uint16_t tmp = 0; assert(buf2 == NULL || buf1len % 2 == 0); while (buf1len > 1) { sum += *buf1++; buf1len -= 2; } /* Add left-over byte, if any */ if (buf1len > 0) { tmp = 0; *(uint8_t *) &tmp = *(uint8_t *) buf1; sum += tmp; } if (buf2) { while (buf2len > 1) { sum += *buf2++; buf2len -= 2; } /* Add left-over byte, if any */ if (buf2len > 0) { tmp = 0; *(uint8_t *) &tmp = *(uint8_t *) buf2; sum += tmp; } } /* fold 32-bit sum to 16 bits */ sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return (uint16_t)~sum; } /*------------------------------------------------------------------------------*/ inline uint32_t MyRandom(uint64_t *seed) { *seed = *seed * 1103515245 + 12345; return (uint32_t)(*seed >> 32); } /*------------------------------------------------------------------------------*/ char * build_packet(char *buffer, int pktsize, int tot_rules, int *rule_idx, uint64_t *seed, int attack) { struct ether_header *ethh; struct iphdr *iph; struct tcphdr *tcph; uint16_t tot_len; static struct { uint32_t src_addr; uint32_t dst_addr; uint8_t zero; uint8_t protocol; uint16_t len; } __attribute__ ((aligned (__WORDSIZE))) pseudo_header = { IP_SRC_ADDR, IP_DST_ADDR, 0, IPPROTO_TCP, 0, }; static u_int8_t ether_dhost[ETH_ALEN] = MAC_DST_ADDR; static u_int8_t ether_shost[ETH_ALEN] = MAC_SRC_ADDR; static uint64_t attack_meter = 0; uint64_t attack_index; uint8_t attack_packet = 0; /* build ether header (14B) */ ethh = (struct ether_header *)buffer; memcpy(ethh->ether_dhost, ether_dhost, ETH_ALEN); memcpy(ethh->ether_shost, ether_shost, ETH_ALEN); ethh->ether_type = htons(ETHERTYPE_IP); tot_len = pktsize - sizeof(struct ether_header); /* build ip header (20B) */ iph = (struct iphdr *)(ethh + 1); memset(iph, 0, sizeof (struct iphdr)); iph->ihl = (unsigned int)(sizeof(struct iphdr)>>2); iph->version = 4; iph->ttl = 32; iph->protocol = IPPROTO_TCP; /* in nbo */ iph->saddr = IP_SRC_ADDR; iph->daddr = IP_DST_ADDR; iph->tot_len = htons(tot_len); iph->check = ip_fast_csum(iph, iph->ihl); /* build tcp header (20B) */ tcph = (struct tcphdr *)((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr)); memset(tcph, 0, sizeof (struct tcphdr)); tcph->source = TCP_SRC_PORT; tcph->dest = TCP_DST_PORT; tcph->seq = MyRandom(seed); tcph->ack_seq = MyRandom(seed); tcph->doff = (sizeof(struct tcphdr)>>2); tcph->res1 = 0; tcph->res2 = 0; tcph->urg = 0; tcph->ack = 1; tcph->psh = 0; tcph->rst = 0; tcph->syn = 0; tcph->fin = 0; tcph->window = htons(5840); attack_index = attack_meter & (4 - 1); switch (attack) { case 0: memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), null_payload, tot_len + sizeof(struct ether_header)); break; case 1: if (attack_index == 0) { memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), g_content[*rule_idx], tot_len + sizeof(struct ether_header)); attack_packet = 1; } else memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), null_payload, tot_len + sizeof(struct ether_header)); break; case 2: if (attack_index == 0 || attack_index == 2) { memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), g_content[*rule_idx], tot_len + sizeof(struct ether_header)); attack_packet = 1; } else memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), null_payload, tot_len + sizeof(struct ether_header)); break; case 3: if (attack_index != 0) { memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), g_content[*rule_idx], tot_len + sizeof(struct ether_header)); attack_packet = 1; } else memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), null_payload, tot_len + sizeof(struct ether_header)); break; case 4: /* build payload */ memcpy((char *)buffer + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr), g_content[*rule_idx], tot_len + sizeof(struct ether_header)); attack_packet = 1; break; default: fprintf(stderr, "Control can never come here!\n"); exit(EXIT_FAILURE); } /* update rule offset */ if (attack_packet) *rule_idx = (*rule_idx + 1) % tot_rules; /* update checksum */ tot_len -= sizeof(struct iphdr); pseudo_header.len = htons(tot_len); tcph->check = TCPChecksum((uint16_t *) &pseudo_header, sizeof(pseudo_header), (uint16_t *)tcph, tot_len); attack_meter++; return buffer; } /*------------------------------------------------------------------------------*/ /* IDS mode */ //int four(char *iftext, long delay, long pkt2send, char* filename, char *sizetmp, int period, int attack) int send_ids_mode() { int count, flag=0; int wordcount = 0; char *p; char tmp7[10]; char ch; if (params1.paramnum == 1) { usage_5(); exit(0); } //check if the options are ok if ((params1.attack < 1) || (params1.attack > 4)) { printf("\n Missing amount of attack traffic. Select: -a <1-4>"); printf("\n 0 for innocent traffic, 1 for 25%% attack, 2 for 50%% attack, 3 for 75%% attack, 4 for 100%% attack\n\n"); exit(7); } //check if the options are ok if ((params1.delay_mode != 1) && (params1.delay_mode != 2) && (params1.delay_mode != 4) && (params1.delay_mode != 8)) { printf("\n Wrong or missing delay between packets or bandwidth parameter.\n\n Specify one of the following options:\n"); printf(" -D - delay between packets in nanoseconds\n"); printf(" -d - delay between packets in microseconds\n"); printf(" -d 0 - maximum speed with counters\n"); printf(" -b - desired bandwidth in kbit/s\n"); printf(" -B - desired bandwidth in Mbit/s\n\n"); exit(7); } else if ((params1.delay_mode == 1) && (params1.delay == -1)) { printf("\n Option -d -1 not allowed with this mode\n\n"); exit(7); } if (params1.delay_mode == 1) params1.delay = params1.delay * 1000; else if (params1.delay_mode == 2) params1.delay = params1.delay; else if (params1.delay_mode == 4) params1.delay = (long long)(1000000 * (long long)params1.ph.incl_len * 8 / params1.bw); else if (params1.delay_mode == 8) params1.delay = (long long)(1000 * (long long)params1.ph.incl_len * 8 / params1.BW); if (params1.delay > 999000000) { printf ("\n Warning! Rate is below 1pps, statistics will be displayed only when a packet will be sent.\n\n"); } if ((params1.number == -2) && (params1.duration == -2)) { printf("\n Missing number of packets to send or time in seconds to transmit.\n Specify -n or -t .\n"); printf(" Set -n 0 to send infinite number of packets. \n\n"); exit(7); } else if ((params1.number != -2) && (params1.duration != -2)) { printf("\n Only one option allowed at a time (-n or -t). \n Specify -n or -t !\n\n"); printf(" Set -n 0 to send until the ramp finishes. \n\n"); exit(7); } if ((params1.number == -2) && (params1.duration > 0)) { params1.number = 0; } if (strlen(params1.rateramp) > 0 ) { printf("\n Options -z and -Z are not allowed in this mode.\n\n"); exit(7); } if (params1.seqnum != -2 ) { printf("\n Option -c not allowed in this mode.\n\n"); exit(7); } if ((strlen(params1.sizeramp) ==0 ) && (params1.packetsize == -2)) { printf("\n Did you specify packet size with -S or size ramp values with -s option (in bytes)? \n And don't forget the quotation marks! (for example: -s \"100 1000 200\")\n\n"); exit(7); } if ((strlen(params1.sizeramp) > 0) && (params1.period == -2)) { printf("\n Did you specify duration of one step (in seconds) with -p option?\n\n"); exit(7); } if (params1.my_pattern > 0) { printf("\n Pattern options not allowed in this mode!\n\n"); exit(7); } /* read snort rule file */ params1.num_rules = readSnortRules(params1.filename); if (params1.num_rules == 0) { /* if there are no rules, then die! */ fprintf(stderr, "Rules file is empty!\n"); exit(EXIT_FAILURE); } if (strlen(params1.sizeramp) > 0 ) { for (count = 0; count <= strlen(params1.sizeramp); count ++){ ch = params1.sizeramp[count]; if((isblank(ch)) || (params1.sizeramp[count] == '\0')){ memcpy(tmp7, ¶ms1.sizeramp[flag],count-flag); tmp7[count-flag]='\0'; if (wordcount==0) params1.startsize = strtol(tmp7, &p, 10); else if (wordcount == 1) params1.stopsize = strtol(tmp7, &p, 10); else if (wordcount == 2) params1.stepsize = strtol(tmp7, &p, 10); wordcount += 1; flag = count; } } if (params1.startsize > params1.stopsize) { printf("\nstartsize is greater than stopzize\n\n"); close(params1.fd); cleanupRules(params1.num_rules); return 1; } if (params1.startsize < 60) { printf("\nstartsize must be >60\n\n"); close(params1.fd); cleanupRules(params1.num_rules); return 1; } if (params1.stopsize > MAX_MTU) { printf("\nstopsize must be <%d\n\n", MAX_MTU); close(params1.fd); cleanupRules(params1.num_rules); return 1; } params1.size = params1.startsize; } else params1.size = params1.packetsize; function_send(); return 1; } void usage(void) { printf("\nUsage: ./packETHcli -m -i -f [options]\n"); printf(" \n"); printf(" There are diffent modes, use ./packETHcli -m to get detailed help for particular mode\n"); printf(" \n"); printf(" -m 1 - SEND PACKET ONCE (default mode)\n"); printf(" -m 2 - SEND PACKETS CONTINUOUSLY WITH CONSTANT RATE:\n"); printf(" -m 3 - SEND PACKETS CONTINUOUSLY WITH VARIABLE RATE (SPEED RAMP)\n"); printf(" -m 4 - SEND PACKETS CONTINUOUSLY WITH VARIABLE SIZE (SIZE RAMP)\n"); printf(" -m 5 - SEND SEQUENCE OF PACKETS (IDS TEST MODE)\n"); printf(" -m 6 - SEND PACKETS IN BURST MODE (CONSTANT BURST)\n"); printf(" -m 9 - RECEIVER MODE (count packets sent by packETHcli or packETH\n"); printf("\n"); //printf(" -f - file name where packet is stored in pcap format (or attack definitions file in Snort rule format in mode 5) \n"); //printf(" -I - time interval to display results (default 1s) \n"); printf("\n"); printf("FOR EXAMPLES SEE: ./packETHcli -e \n\n"); } void usage_1(void) { printf(" -m 1 - SEND PACKET ONCE (default mode): send packet from the pcap file once \n"); printf(" Usage: ./packETHcli -m 1 -i -f [-c]\n"); printf(" Optional parameter:\n"); printf(" -c - sequence number of packet stored in pcap file (by default first packet will be sent)\n"); printf(" to see sequence numbers of packets inside pcap file: tcpdump -# -r filename\n"); printf(" Example: ./packETHcli -i eth0 -f packet.pcap\n\n"); } void usage_2(void) { printf(" -m 2 - SEND PACKETS CONTINUOUSLY WITH CONSTANT RATE: send (first) packet from pcap file at constant rate\n"); printf(" Usage: ./packETHcli -m 2 -i -f [options]\n"); printf(" Required parameters:\n"); printf(" Number of packets to send or duration in seconds (only one option possible)\n"); printf(" -n - number of packets to send or 0 for infinite\n"); printf(" -t - seconds to transmit\n"); printf(" Delay between packets or sendrate (only one option possible)\n"); printf(" -D - delay between packets in nano seconds;\n"); printf(" -d - delay between packets in micro seconds;\n"); printf(" -d 0 - maximum speed with counters\n"); printf(" -d -1 - maximum speed without counters\n"); printf(" -b - desired sending rate in kbit/s\n"); printf(" -B - desired sending rate in Mbit/s\n"); printf(" Optional parameters:\n"); printf(" -c - sequence number of packet stored in pcap file (by default first packet will be sent)\n"); printf(" -I - time interval to display results (default 1s) \n"); printf(" Insert predifined pattern into packet: \n"); printf(" -x - insert pattern \"a9b8c7d6\" and counter inside last 10 bytes of packet\n"); printf(" Insert custom pattern at custom positon and counter at custom position\n"); printf(" -q - where should the pattern be (bytes offset)\n"); printf(" -w - what should be the pattern to match\n"); printf(" -o - where should the inceremented counter be (bytes offset)\n"); printf(" \n"); printf(" Example: ./packETHcli -i eth0 -m 2 -B 100 -n 10000 -f p1.pcap \n\n"); } void usage_3(void) { printf(" -m 3 - SEND PACKETS CONTINUOUSLY WITH VARIABLE RATE (SPEED RAMP)\n"); printf(" Usage: ./packETHcli -m 3 -i -f [options]\n"); printf(" Required parameters:\n"); printf(" Number of packets to send or duration in seconds (only one option possible)\n"); printf(" -n - number of packets to send or 0 for infinite\n"); printf(" -t - seconds to transmit\n"); printf(" Startrate, Stoprate, Steprate and Step duration (only one option possible):\n"); printf(" -z \" - period between steps in seconds \n"); printf(" Optional parameters:\n"); printf(" -c - sequence number of packet stored in pcap file (by default first packet will be sent)\n"); printf(" -I - time interval to display results (default 1s) \n"); printf(" Insert predifined pattern into packet: \n"); printf(" -x - insert pattern \"a9b8c7d6\" and counter inside last 10 bytes of packet\n"); printf(" Insert custom pattern at custom positon and counter at custom position\n"); printf(" -q - where should the pattern be (bytes offset)\n"); printf(" -w - what should be the pattern to match\n"); printf(" -o - where should the inceremented counter be (bytes offset)\n"); printf(" \n"); printf(" Example: ./packETHcli -i eth1 -m 3 -t 3600 -Z \"500 100 1\" -p 5 -f p1.pcap \n\n"); } void usage_4(void) { printf(" -m 4 - SEND PACKETS CONTINUOUSLY WITH VARIABLE SIZE (SIZE RAMP)\n"); printf(" Usage: ./packETHcli -m 4 -i -f [options]\n"); printf(" Required parameters:\n"); printf(" Number of packets to send or duration in seconds (only one option possible)\n"); printf(" -n - number of packets to send or 0 for infinite\n"); printf(" -t - seconds to transmit\n"); printf(" Delay between packets or sendrate (only one option possible). Choose first option for constant pps and second one for constant bandwidth\n"); printf(" -d - delay between packets in micro seconds; select 0 for maximum speed\n"); printf(" -D - delay between packets in nano seconds; select 0 for maximum speed with counters; select -1 for max speed without counters)\n"); printf(" -b - desired sending rate in kbit/s\n"); printf(" -B - desired sending rate in Mbit/s\n"); printf(" Startsize, Stopsize, Stepsize and Step duration number\n"); printf(" -s \"\" in bytes (please note that TCP&UDP checksums are not (yet :) ) recalculated!!!) \n"); printf(" -p - period between steps in seconds\n"); printf(" Optional parameters:\n"); printf(" -c - sequence number of packet stored in pcap file (by default first packet will be sent)\n"); printf(" -I - time interval to display results (default 1s) \n"); printf(" Insert predifined pattern into packet: \n"); printf(" -x - insert pattern \"a9b8c7d6\" and counter inside last 10 bytes of packet\n"); printf(" Example: ./packETHcli -i eth1 -m 4 -d 2000 -n 0 -s \"100 1500 100\" -p 5 -f p1.pcap\n\n"); } void usage_5(void) { printf(" -m 5 - SEND SEQUENCE OF PACKETS (IDS TEST MODE)\n"); printf(" Usage: ./packETHcli -m 5 -i -f [options]\n"); printf(" Required parameters\n"); printf(" -f \n"); printf(" -a - innocent traffic for 0, 25%% attack for 1, 50%% attack for 2, 75%% attack for 3, 100%% attack for 4> \n"); printf(" -S \" -p \n"); printf(" -d - delay between packets OR -b OR -B - number of packets to send (0 for infinite) OR -t \n"); printf(" Example: ./packETHcli -i lo -f sample_snort_rules.txt -B 10 -m 5 -t 60 -S 1000 -a 2\n\n"); printf("\n"); } void usage_6(void) { printf(" -m 6 - SEND PACKETS IN BURST MODE (CONSTANT BURST)\n"); printf(" Usage: ./packETHcli -m 4 -i -f [options]\n"); printf(" Required parameters:\n"); printf(" Number of packets to send or duration in seconds (only one option possible)\n"); printf(" -n - number of packets to send or 0 for infinite\n"); printf(" -t - seconds to transmit\n"); printf(" Number of packets in burst, delay between packets in burst (us), delay till next burst (us)\n"); printf(" -L \"\" \n"); printf(" Optional parameters:\n"); printf(" -c - sequence number of packet stored in pcap file (by default first packet will be sent)\n"); printf(" -I - time interval to display results (default 1s) \n"); printf(" Insert predifined pattern into packet: \n"); printf(" -x - insert pattern \"a9b8c7d6\" and counter inside last 10 bytes of packet\n"); printf(" Example: ./packETHcli -i eth1 -m 6 -n 0 -L \"100 1 100\" -f p1.pcap\n\n"); } void usage_9(void) { printf(" -m 9 - RECEIVER MODE: COUNT PACKETS (FROM packETHcli)\n"); printf(" Usage: ./packETHcli -m 9 -i [-x OR -o -q -w ]\n"); printf(" Optional parameter:\n"); printf(" To count packets with predifined pattern sent by packETHcli use -x option on both sides (sender and receiver) :\n"); printf(" -x - Last 10 bytes in received packets will be checked for pattern \"a8b7c7d6\" and counter\n"); printf(" To count packets with custom pattern at custom positon and counter at custom position:\n"); printf(" -q - where should the pattern be (bytes offset)\n"); printf(" -w - what should be the pattern to match\n"); printf(" -o - where should the inceremented counter be (bytes offset)\n"); printf(" Examples:\n"); printf(" ./packETHcli -m 9 -i eth0\n"); printf(" ./packETHcli -m 9 -i eth0 -x\n"); printf(" ./packETHcli -m 9 -i eth0 -o 60 -q 70 -w 12345678\n"); printf("\n"); } void examples(void) { printf("\n"); printf("Examples: \n"); printf("\n"); printf("All examples assume that we send on interface eth0 and that the packet is stored in file p1.pcap\n"); printf("\n"); printf(" mode 1 - send one packet and exit:\n"); printf(" ./packETHcli -i eth0 -f p1.pcap - send packet p1.pcap once on interface eth0\n"); printf(" ./packETHcli -i eth0 -f p10.pcap -c 5 - send 5th packet from file p10.pcap\n"); printf("\n"); printf(" mode 2 - send packets at constant rate:\n"); printf(" ./packETHcli -i eth0 -m 2 -d 0 -n 0 -f p1.pcap - send at max speed, infinite times, display counters every seconf\n"); printf(" ./packETHcli -i eth0 -m 2 -d -1 -n 0 -f p1.pcap - send at max speed, infinite times, no counters\n"); printf(" ./packETHcli -i eth0 -m 2 -d 1000 -n 300 -f p1.pcap - send 300 packets with 1000 us (1ms) between them\n"); printf(" ./packETHcli -i eth0 -m 2 -b 1500 -t 30 -f p1.pcap -I 5 - send packets with rate 1500 kbit/s for 30s, display results every 5s\n"); printf(" ./packETHcli -i eth0 -m 2 -B 100 -n 10000 -f p1.pcap -c 7 - send 7th packet 10000 times, with rate 100 Mbit/s\n"); printf(" ./packETHcli -i eth0 -m 2 -B 100 -n 0 -f p1.pcap -x - send infinite times with rate 100 Mbit/s, add predifined pattern and counter\n"); printf(" ./packETHcli -i eth0 -m 2 -B 100 -n 0 -f p1.pcap -o 60 -q 70 -w 12345 - send infinite times with rate 100 Mbit/s, add counter at byte 60 and pattern 12345 at byte 70\n"); printf("\n"); printf(" mode 3 - send packets with different rates (speed ramp):\n"); printf(" ./packETHcli -i eth1 -m -n 0 -z \"100 1500 100\" -p 10 -f p1.pcap - start sendind at 100kbit/s for 10s, then increase rate by 100kbit/s each 10s up to 1500 kbit/s\n"); printf(" ./packETHcli -i eth1 -m 3 -t 3600 -Z \"500 100 1\" -p 5 -f p1.pcap - send with 500Mbit/s for 5s, then decrease rate by 1Mbit/s each 5s. Stop after 3600s if not finished\n"); printf("\n"); printf(" mode 4 - send packets with variable size (size ramp):\n"); printf(" ./packETHcli -i eth1 -m 4 -d 0 -n 0 -s \"100 1500 100\" -p 10 -f p1.pcap - send at max speed, start with packet size of 100 bytes for 10s then increase by 100 bytes up to 1500 bytes\n"); printf(" ./packETHcli -i eth1 -m 4 -d 2000 -n 0 -s \"100 1500 100\" -p 5 -f p1.pcap - send with constant rate 500pps (bandwidth changes), increase length by 100 bytes every 5s from 100 to 1500 \n"); printf(" ./packETHcli -i eth1 -m 4 -B 10 -t 300 -s \"1000 1500 100\" -p 10 -f p1.pcap - send with constant bandwidth 10Mbit/s (pps changes), increase the length by 100 bytes every 10s from 1000 to 1500\n"); printf("\n"); printf(" mode 5 - send packets for IDS testing:\n"); printf(" ./packETHcli -i eth1 -m 5 -f sample_snort_rules.txt -B 10 -t 60 -S1000 -a 2 - send 50%% IDS traffic (-a 2) at 10Mbit/s for 60 seconds, packet size 1000 bytes\n"); printf(" ./packETHcli -i eth1 -m 5 -f sample_snort_rules.txt -d 1000 -t 60 -s \"100 1000 100\" -a 4 -p 10\n"); printf(" - send 100%% IDS traffic, 1000pps for 60 seconds, increase packet size from 100 to 1000 bytes\n"); printf("\n"); printf(" mode 6 - send packets in burst mode:\n"); printf(" ./packETHcli -i eth1 -m 6 -n 0 -L \"100 1000 200000\" -f p1.pcap - send a burst of 100 packets with 1ms between them then wait for 200ms and send next burst again\n"); printf(" ./packETHcli -i eth1 -m 6 -n 0 -L \"100 0 100000\" -f p1.pcap - send a burst of 100 packets as fast as possible then then wait for 100ms and send next burst again\n"); printf("\n"); printf(" mode 9 - receive and count packets sent by packETHcli:\n"); printf(" ./packETHcli -i eth1 -m 9 -x - receive and count packets sent by packETHcli with -x option\n"); printf(" ./packETHcli -i eth1 -m 9 -o 60 -q 70 -w 12345 - receive and count packets that have counter at byte 60 and the pattern is 12345 at byte 70\n"); printf("\n"); printf("\n\n"); exit (8); } packETH-3.0/cli/parse_snort_rules.c000066400000000000000000000124111451456143500173260ustar00rootroot00000000000000#include #include #include #include /*------------------------------------------------------------*/ #define RULE_LINE_LEN 4096 #define MAX_CONTENT 2048 #define HEADER_LEN 54 #define MAX_RULE 8192 #define UNUSED(x) (void)x /* content & regular expression g_vars */ //static char **g_pcre_string; //static int *g_pcre_len; char **g_content; int *g_content_len; char *null_payload; static const int packet_size = 1514; /* Function headers */ int readSnortRules(const char *); void cleanupRules(int); /*------------------------------------------------------------*/ int readSnortRules(const char *filename) { FILE *fp; char *p, *result, *saveptr, *temp, *end, *pcre[MAX_RULE]; char line[RULE_LINE_LEN], new_content[MAX_CONTENT], ox[2]; int num_rule, i, j, loc, len_temp, flag, hex_num, rule_dec; char hex[6] = "0x"; /* set null_payload */ null_payload = calloc(1, packet_size); if (null_payload == NULL) { fprintf(stderr, "Not enough memory to initialize null payload!\n"); exit(EXIT_FAILURE); } loc = num_rule = flag = rule_dec = 0; /* calculate number of rules */ if ((fp = fopen(filename, "r")) == NULL) { fprintf(stderr, "[%s:%d]] File %s failed to open!\n", __FUNCTION__, __LINE__, filename); exit(EXIT_FAILURE); } while (fgets(line, sizeof(line), fp) != NULL) { if (*line == '#' || *line == '\0') continue; else num_rule++; } /* * rewind. I know this is inefficent, but will improve * on this in the next iteration */ rewind(fp); /* for content */ if ((p = (char *)calloc(/*4 * */sizeof(char), MAX_CONTENT * num_rule)) == NULL) { fprintf(stderr, "[%s:%d] Memory allocation for " "contents failed\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } if ((g_content = (char **)calloc(num_rule, sizeof(char *))) == NULL) { fprintf(stderr, "[%s:%d] Malloc for content failed\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } if ((g_content_len = (int *)calloc(num_rule, sizeof(int))) == NULL) { fprintf(stderr, "[%s:%d] Malloc for g_content_len failed\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } for (i = 0; i < num_rule; i++) { if (fgets(line, sizeof(line), fp) == NULL) { fprintf(stderr, "[%s:%d] Reading %dth rule failed\n", __FUNCTION__, __LINE__, i); exit(EXIT_FAILURE); } result = strstr(line, "content:"); if (result == NULL) { strcpy(new_content, "No_Content"); loc = strlen(new_content); } else { result = strtok_r(result, "\"", &saveptr); result = strtok_r(NULL, "\"", &saveptr); if ((temp = strdup(result)) == NULL) { fprintf(stderr, "[%s:%d] Reading content failed\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } len_temp = strlen(temp); memset(new_content, 0, MAX_CONTENT); for (j = 0; j < len_temp; j++) { if (temp[j] == '|') { if (flag == false) { flag = true; continue; } else if (flag == true) { flag = false; continue; } } if (flag == true) { if (temp[j] == ' ') continue; memset(hex, 0, 5); strcpy(hex, "0x"); ox[0] = temp[j]; ox[1] = temp[j + 1]; strncat(hex, ox, 2); sscanf(hex, "0x%2X", &hex_num); new_content[loc] = hex_num; loc++; j++; } else if (flag == false) { new_content[loc] = temp[j]; loc++; } } free(temp); } if (loc + 1 <= packet_size - HEADER_LEN) { memcpy(p, new_content, loc + 1); g_content[i - rule_dec] = p; g_content_len[i - rule_dec] = loc + 1; p += (loc + 1); } else rule_dec++; flag = false; loc = 0; } /* rewind again */ rewind(fp); #if 0 for (i = 0; i < num_rule; i++) { if (fgets(line, sizeof(line), fp) == NULL) { fprintf(stderr, "[%s:%d]: Reading %dth rule failed\n", __FUNCTION__, __LINE__, i); exit(EXIT_FAILURE); } result = strstr(line, "pcre:"); if (result == NULL) continue; end = strstr(result, "\""); result = end + 1; end = strstr(result, "\"; "); end[0] = '\0'; if ((temp = strdup(result)) == NULL) { fprintf(stderr, "[%s:%d] Reading PCRE failed\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } pcre[i] = temp; } #endif fclose(fp); #ifdef TEST_SNORT_RULE_PARSING printf("rule_dec: %d\n", rule_dec); for(i = 0; i < num_rule - rule_dec; i++) { fprintf(stdout, "%d: content: ", i); for (j = 0; j < g_content_len[i]; j++) fprintf(stdout, "0x%02X ", g_content[i][j]); fprintf(stdout, "pcre: %s\n", pcre[i]); } #else UNUSED(pcre); #endif UNUSED(end); return num_rule - rule_dec; } /*------------------------------------------------------------*/ void cleanupRules(int num_rules) { /* freeing up all resources allocated */ free(null_payload); free(g_content_len); free(g_content); } /*------------------------------------------------------------*/ #ifdef TEST_SNORT_RULE_PARSING int main(int argc, char **argv) { int num_rules; if (argc != 2) { fprintf(stderr, "[%s:%d]Usage: %s \n", __FUNCTION__, __LINE__, argv[0]); exit(EXIT_FAILURE); } num_rules = readSnortRules(argv[1]); if (num_rules <= 0) { fprintf(stderr, "[%s:%d] There are no rules in the file\n", __FUNCTION__, __LINE__); exit(EXIT_FAILURE); } cleanupRules(num_rules); return EXIT_SUCCESS; } #endif /*------------------------------------------------------------*/ packETH-3.0/cli/sample_snort_rules.txt000066400000000000000000033757621451456143500201220ustar00rootroot00000000000000alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:13;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:10;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:14;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR freak 1.0 runtime detection - icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR globalkiller1.0 runtime detection - notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6331; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR y3k 1.2 runtime detection - icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:from_server,established; flowbits:isset,nova_cgi_cts; content:"|23| Nova CGI Notification Script"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; content:"|0D 0A|ItAdEm Trojan Server|0D 0A|"; nocase; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR trojan-spy.win32.delf.uv runtime detection"; flow:from_server,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; content:"[|00|u|00|p|00|d|00|a|00|t|00|e|00|]"; content:"[|00|p|00|o|00|p|00|w|00|i|00|n|00|]"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949; classtype:trojan-activity; sid:13878; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR td.exe runtime detection - download"; flow:to_server,established; content:"/download.php"; nocase; content:"id="; distance:0; nocase; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16096; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR win32.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; reference:url,www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.jwh; classtype:trojan-activity; sid:16092; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Delf Trojan POST attempt"; flow:to_server,established; content:"tip"; nocase; content:"&cli"; distance:0; nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon initial beacon"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|01 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon keepalive message"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|03 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHAT mIRC IRC URL buffer overflow attempt"; flow:to_client,established; content:"src='irc|3A|//"; pcre:"/^\S{999}/R"; reference:bugtraq,8819; reference:cve,2003-1336; classtype:attempted-user; sid:16579; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Microsoft XML parser IIS WebDAV attack attempt"; flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*?){15}/"; reference:bugtraq,11384; reference:cve,2003-0718; classtype:denial-of-service; sid:12043; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"-100"; fast_pattern:only; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:16214; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; file_data; content:"|FF D8 FF|"; content:"|FF ED|"; content:"8BIM"; within:4; distance:16; nocase; pcre:"/\xff\xed.{16}8BIM\x04(\x09|\x0c)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging small offset malformed tiff"; flow:to_client,established; content:"II*|00|"; byte_jump:4,0,relative,little; content:"|02 01 03 00|"; distance:-8; byte_test:4,>,6,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12633; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; flowbits:isset,http.tiff; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12634; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QuickTime STSD atom overflow attempt"; flow:established,to_client; flowbits:isset,http.quicktime; content:"stsd"; byte_test:4,>,0,4,relative,big; byte_test:4,<,12,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26341; reference:cve,2007-3750; classtype:attempted-user; sid:12746; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Skype skype4com URI handler memory corruption attempt"; flow:established,to_client; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QTIF malformed idsc atom"; flow:established,to_client; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0033; classtype:attempted-user; sid:13517; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe PDF ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; classtype:attempted-user; sid:16578; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT BEA WebLogic jsessionid buffer overflow attempt"; flow:to_server,established; content:"JSESSIONID="; nocase; isdataat:500,relative; pcre:"/^Cookie\x3a[^\n]*[\x3b\x3a]\s*JSESSIONID=[^\n\x3b=]{500}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33177; reference:cve,2008-5457; classtype:attempted-admin; sid:15010; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17404; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17406; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17405; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT osCommerce categories.php Arbitrary File Upload And Code Execution"; flow:to_server,established; content:"/admin/categories.php/login.php?cPath=&action=new_product_preview"; fast_pattern:only; reference:bugtraq,44995; classtype:web-application-attack; sid:18678; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Sun Java Applet2ClassLoader Remote Code Execution"; flow:from_server,established; file_data; content:"codebase|3D 22|file|3A 2F 2F|"; nocase; content:"code|3D 22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Visio version number anomaly"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0934; reference:url,www.microsoft.com/technet/security/bulletin/MS07-030.mspx; classtype:misc-activity; sid:11836; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MISC HP DDMI Agent spoofing - command execution"; flow:established,to_server; content:"SOAPMethodName|3A| urn|3A|aiagent|23|executeProcess"; nocase; metadata:policy security-ips drop; reference:bugtraq,35250; reference:cve,2009-1419; classtype:attempted-admin; sid:18397; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,wav_file.request; content:"RIFF"; content:"WAVEfmt"; distance:4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,realmedia_file.request; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,realplayer.playlist; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,aiff_file.request; content:"COMM"; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .rec download attempt"; flow:from_server,established; file_data; content:".rec|00|"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19128; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .r1m download attempt"; flow:from_server,established; file_data; content:".r1m"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19129; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Visio file download"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A|"; fast_pattern:only; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; fast_pattern:only; classtype:policy-violation; sid:12391; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; classtype:policy-violation; sid:12425; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Crystal Reports file download"; flow:to_client,established; flowbits:isset, rpt.download; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; fast_pattern:only; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,www.microsoft.com/technet/security/bulletin/ms07-052.mspx; classtype:policy-violation; sid:12456; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AIM Express usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; fast_pattern:only; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Habbo chat client successful login"; flow:to_client,established; content:"document.habboLoggedIn = true"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:15170; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY attempted download of a PDF with embedded Flash"; flow:to_client,established; flowbits:isset,http.pdf; content:"stream"; fast_pattern; nocase; pcre:"/^[\x0A\x0D]{1,2}[CF]WS/iR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:15727; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Adobe PDF alternate file magic obfuscation"; flow:established,to_client; flowbits:isset,http.pdf; content:"%COS-0.2"; depth:1032; content:"PDF-"; distance:0; metadata:policy security-ips drop; reference:url,www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf; classtype:misc-activity; sid:16390; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|E8 00 00 00 00|X|83 E8|=P|8D B8|"; content:"|FF|W"; within:2; distance:3; content:"|8A 06|F|88 07|G|EB EB 90 90 90 B8 01 00 00 00 01|"; within:17; distance:28; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16434; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|BE|"; content:"|8D BE|"; within:2; distance:4; pcre:"/^\x57(\x83\xCD\xFF)?\x89\xE5\x8D\x9C\x24.{4}\x31\xC0\x50\x39\xDC\x75\xFB\x46\x46\x53\x68.{4}\x57\x83\xC3\x04\x53\x68.{4}\x56\x83\xC3\x04\x53\x50\xC7\x03.{4}\x90\x90/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16436; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"|8A 06|F|88 07|G|01 DB|u|07 8B 1E 83 EE FC 11 DB|"; pcre:"/^(\x72\xED\xB8\x01.{3}|\x8A\x07\x72\xEB\xB8\x01\x00\x00\x00)\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB[\x73\x77].{3}\x8B\x1E\x83\xEE\xFC/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16435; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF with click-to-launch executable"; flow:established,to_client; flowbits:isset,http.pdf; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; within:100; fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|com|swf)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY base64-encoded uri data object found"; flow:to_client,established; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of Windows .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,http.lnk; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-049.mspx; classtype:attempted-user; sid:17442; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JS string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s|>|<]/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:17668; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY FlashPix file download request"; flow:to_server, established; content:".fpx"; nocase; flowbits:set,http.fpx; flowbits:noalert; classtype:policy-violation; sid:17739; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Excel with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.xls; content:"ShockwaveFlashObjects"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18545; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Word with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.doc; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:18546; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Powerpoint with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.ppt; content:"|53 00 68 00 6F 00 63 00 6B 00 77 00 61 00 76 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 4F 00 62 00 6A 00 65 00 63 00 74 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18547; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF file with embedded PDF object"; flow:established,to_client; file_data; content:"EmbeddedFile"; distance:0; nocase; content:"3C7064663E"; distance:0; nocase; content:"3C2F7064663E"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY RTF file with embedded OLE object"; flow:established,to_client; flowbits:isset,http.rtf; file_data; content:"d0cf11e"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18685; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JavaScript string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JavaScript"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fJavaScript/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18681; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with OpenAction object"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/OpenAction"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fOpenAction/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18682; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Excel file with embedded PDF object"; flow:established,to_client; flowbits:isset,http.xls; file_data; content:"startxref"; distance:0; nocase; content:"%%EOF"; distance:0; nocase; isdataat:!3,relative; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18683; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Apple Mach-O executable download attempt"; flow:established,to_client; file_data; content:"|CA FE BA BE|"; within:4; byte_test:4, <, 20, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html; classtype:policy-violation; sid:18983; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c]u[0-9a-f]{4}(\x22\s*\x2B\s*\x22)?[\x25\x5c]u[0-9a-f]{4}/smi"; classtype:shellcode-detect; sid:10504; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; sid:10505; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; classtype:shellcode-detect; sid:12630; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var shellcode"; flow:to_client,established; content:" shellcode"; fast_pattern:only; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17392; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var heapspray"; flow:to_client,established; content:" heapspray"; fast_pattern:only; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17393; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 1E 02 00 00 EB 0A 11 06 2E 02 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17497; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 36 00 00 00 0F 00 11 05 2E 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17496; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel Column record handling memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 00 1C 00 0F 00 02 00 FF FF 00 00 01 00 03 00 00|"; fast_pattern:only; reference:bugtraq,21925; reference:cve,2007-0030; classtype:attempted-user; sid:17543; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt"; flow:established,to_client; content:"VulObject = |22|IER|22| + |22|PCtl.I|22| + |22|ERP|22| + |22|Ctl.1|22 3B|"; nocase; metadata:policy security-ips drop; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,26586; reference:cve,2006-6847; reference:cve,2007-5601; classtype:attempted-user; sid:12775; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt"; flow:established,to_client; content:"storm.setAttribute|28 22|classid|22|,|22|clsid|3A|6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25601; reference:cve,2007-4816; classtype:attempted-user; sid:12771; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt"; flow:established,to_client; content:"00C04FC29E36|7C|983A|7C|11D0|7C|65A3|7C 7C|BD96C556|7C 7C|clsid"; nocase; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:12770; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt"; flow:established,to_client; content:""; nocase; metadata:policy security-ips drop; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12773; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt"; flow:established,to_client; content:"pps.setAttribute|28 22|classid|22|,|22|clsid|3A|5EC7C511-CD0F-42E6-830C-1BD9882F3458|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25502; reference:cve,2007-4748; classtype:attempted-user; sid:12772; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt"; flow:established,to_client; content:" $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Metasploit Framework xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"'|29 3B|echo|28|'"; distance:0; content:"'|29 3B| passthru|28|chr|28|"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13816; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS alternate xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"AND ascii|28|substring|28|pass,1,1|29 29 0A|/**/BETWEEN/**/52/**/AND/**/58|29|/*"; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13818; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"',''|29 29 3B|echo '_begin_|0A|'|3B|echo"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13817; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS isComponentInstalled Metasploit attack attempt"; flow:established,to_client; content:"isComponentInstalled|28|boom"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Visio Object Header Buffer Overflow attempt"; flow:to_client,established; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox animated PNG processing integer overflow"; flow:established,to_client; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy security-ips drop; reference:cve,2008-4064; classtype:attempted-user; sid:15191; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; content:""; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; within:64; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:established,to_client; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15678; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding"; flow:established,to_client; content:".|00 00 00|c|00 00 00|l|00 00 00|a|00 00 00|s|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00|=|00 00 00|'|00 00 00|c|00 00 00|l|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00 3A 00 00 00|0|00 00 00|9|00 00 00|5|00 00 00|5|00 00 00|A|00 00 00|C|00 00 00|6|00 00 00|2|00 00 00|-|00 00 00|B|00 00 00|F|00 00 00|2|00 00 00|E|00 00 00|-|00 00 00|4|00 00 00|C|00 00 00|B|00 00 00|A|00 00 00|-|00 00 00|A|00 00 00|2|00 00 00|B|00 00 00|9|00 00 00|-|00 00 00|A|00 00 00|6|00 00 00|3|00 00 00|F|00 00 00|7|00 00 00|7|00 00 00|2|00 00 00|D|00 00 00|4|00 00 00|6|00 00 00|C|00 00 00|F|00 00 00|'|00 00 00 3B|"; nocase; metadata:policy security-ips drop; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15679; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; content:"Math.ceil|28|Math.log|28|"; nocase; content:"Math.LN2|29|"; distance:0; nocase; pcre:"/\x29\s*\x2f\s*Math.LN2\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer popup window object tag code execution attempt"; flow:to_client,established; content:"window.createPopup|28 29|"; content:"oPopup.document.body.innerHTML"; distance:0; content:""; distance:0; metadata:policy security-ips drop; reference:cve,2003-0838; classtype:attempted-user; sid:15880; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt"; flow:to_client,established; content:"-lh0-"; content:"|02 C9 C5|M|88 00 02|DDDD"; within:11; distance:13; metadata:policy security-ips drop; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:15950; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS zlib Denial of Service"; flow:to_client,established; content:"x|9C 85 C1 B9 11 80|0|10 04|A|EC A9 9A A0 C4|+|1E 91 7F FE D8 EB|p|DD AD FD 93 B9| KA|D6 82|l|05 D9 0B|r|14 A4|'9|93 5C|I|EE 24|O|92 91 E4|M2}yw[|86|"; metadata:policy security-ips drop; reference:bugtraq,11051; reference:cve,2004-0797; classtype:attempted-user; sid:15981; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS PHP strip_tags bypass vulnerability exploit attempt"; flow:to_server,established; content:"/strip/getPoc.php?note=%3Cs%00cript%3Ealert%28%27Oops!%27%29%3B%3C%2Fs%00cript%3E"; metadata:policy security-ips drop; reference:bugtraq,10724; reference:cve,2004-0595; classtype:attempted-user; sid:15977; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS F-Secure Anti-Virus LHA processing buffer overflow attempt"; flow:to_client,established; content:"!|C3|-lh0-|18 00 00 00 05 00 00 00 FA BB|m0 |01 08|testfile|F8 1B|U|05 00|P|B4 81 94 01 01|UUUU"; metadata:policy security-ips drop; reference:bugtraq,10243; reference:cve,2004-0234; classtype:attempted-user; sid:15966; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Exchange OWA XSS and spoofing attempt"; flow:to_client,established; content:"exchange/calendar/pick.asp?view=ppp%22>|22|>click this"; metadata:policy security-ips drop; reference:bugtraq,10902; reference:cve,2004-0203; classtype:misc-attack; sid:15964; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Microsoft ASP.NET canonicalization exploit attempt"; flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:policy security-ips drop; reference:bugtraq,11342; reference:cve,2004-0847; classtype:attempted-user; sid:15985; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_client,established; content:"|00 9A 00 00 00 FF 80|P|00 00 00 00 00 14 00 14 00 02|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:16001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt"; flow:to_client,established; flowbits:isset,http.pub; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22702; reference:cve,2007-1754; classtype:attempted-user; sid:16051; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit"; flow:established,to_client; content:"buf = buf + unescape|28 22|%u"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; metadata:policy security-ips drop; reference:bugtraq,27578; reference:bugtraq,27579; reference:cve,2008-0624; reference:cve,2008-0625; classtype:attempted-user; sid:16068; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor AV gateway virus detection bypass attempt"; flow:to_client,established; content:""; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,12269; reference:cve,2005-0218; classtype:misc-attack; sid:16087; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; content:"SPP_P|1D CD|P|3B D5 AF AF AF AF 19|6|A5|U4cz{|B1 04 1D E7 EF|jiI|8A|T|D1|s|FD 0C F7|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:16089; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt"; flow:established,to_client; content:"white-space|3A| pre"; content:""; distance:0; fast_pattern; reference:cve,2010-3765; classtype:attempted-user; sid:19077; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|"; within:16; distance:320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|"; within:16; distance:320; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|"; distance:0; content:"window|2E|getSelection|28 29 2E|removeAllRanges"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|"; within:48; distance:112; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 DA EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:50; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18989; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox appendChild use-after-free attempt"; flow:established,to_client; content:"var cobj=document.createElement(str)|3B 0A 20 20 20|cobj.id=|22|testcase|22 3B 0A 20 20 20|document.body.appendChild(cobj)|3B|"; content:"for(p in obj){|0A 20 20 20 20 20 20|if(typeof(obj[p])==|22|string|22|){"; distance:0; content:"document.body.removeChild(cobj)|3B|"; distance:0; reference:cve,2010-3765; classtype:attempted-user; sid:19076; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|lowercase|3B|"; fast_pattern:only; content:"document|2E|getElementById|28 22|result|22 29 2E|innerHTML|20 3D 20 22|PASS|22 3B|"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19096; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D stucture heap overflow"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|80 FF FF FF 00|"; within:5; distance:36; content:"|0C 0C 0C 0C FF 00 00 00|"; within:8; distance:25; reference:cve,2009-4002; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19112; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed U3D integer overflow"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FlateDecode/Length 96729/Subtype/U3D/Type/3D/VA"; content:"/TYPE/3DView/XN(DefaultView)>>]>>stream|0D 0A 78 DA AC DD 05|"; within:46; distance:114; reference:cve,2009-3959; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:19117; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code execution attempt"; flow:established,to_client; content:"object.innerHTML = |22 22 3B|"; content:"object.value|3B|"; within:30; content:"|3C|select id|3D 22|object|22 3E 3C|option|3E|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19097; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 45 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|45 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19114; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client, established; content:"BellGothicStd-Bla|00 01 02 80|"; reference:cve,2010-3957; reference:url,www.microsoft.com/technet/security/bulletin/ms10-091.mspx; classtype:attempted-user; sid:19119; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 81 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|81 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19113; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 89 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|89 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19115; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|capitalize|3B|"; fast_pattern:only; content:"document.body.addTextNode"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19095; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader script injection vulnerability"; flow:to_client,established; flowbits:isset,http.pdf; content:"(j)"; content:"(a)"; within:10; distance:5; content:"(v)"; within:10; distance:5; fast_pattern; content:"(a)"; within:10; distance:5; content:"(s)"; within:10; distance:5; content:"(c)"; within:10; distance:5; content:"(r)"; within:10; distance:5; content:"(i)"; within:10; distance:5; content:"(p)"; within:10; distance:5; content:"(t)"; within:10; distance:5; reference:cve,2009-3956; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:19118; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code exeuction attempt"; flow:established,to_client; content:"target.innerHTML = |22 3C|option|3E|PASS|3C 2F|option|3E 22 3B|"; content:"getElementById|28 22|result|22 29|.innerHTML = target.value"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19098; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe flash player newfunction memory corruption attempt"; flow:from_server,established; file_data; content:"|D2 60 3B 40 C1 03 AB 12 E5 00 00 60 E8 03 24 00|"; content:"|46 FF 04 02 75 63 07 60 97 01 24 02 A1 62 04 0E|"; within:16; distance:16; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:19145; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|EB 06 90 90 AD 57 00 30 81 C4 24 16 00 00 C3 41|"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19132; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3945; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; classtype:attempted-user; sid:19156; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,www.microsoft.com/technet/security/bulletin/MS10-033.mspx; classtype:attempted-user; sid:19146; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; classtype:attempted-user; sid:19134; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel PtgExtraArray parsing attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,http.asx; file_data; content:"|FF FA 92 60 41 41 41 41|"; within:8; metadata:policy security-ips drop; reference:bugtraq,42298; reference:cve,2010-1882; reference:url,www.microsoft.com/technet/security/bulletin/MS10-052.mspx; classtype:attempted-user; sid:19144; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; classtype:attempted-user; sid:19133; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|5A 03 00 00 00 15|excelrtd.rtdfunctions"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19131; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT shop at home select installation in progress - clsid detected"; flow:to_client,established; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:policy security-ips drop; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler smasoft webdownloader runtime detection"; flow:to_server,established; content:"User-Agent|3A| My Agent"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/w/webdownloader/Webdownloader1.2.html; classtype:misc-activity; sid:5913; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT mydailyhoroscope update or installation in progress"; flow:to_client,established; content:"07637823-C894-4A52-B3F9-5D77FD8E36A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07637823-C894-4A52-B3F9-5D77FD8E36A/si"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5799; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker surfsidekick runtime detection - post request"; flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5844; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies SpywareStrike Runtime Detection"; flow:to_server,established; content:"User-Agent|3A| SpywareStrike"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000248.html; reference:url,www.spywareguide.com/product_show.php?id=2438; classtype:misc-activity; sid:6186; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler navexcel search toolbar runtime detection - activate/update"; flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6278; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware lop runtime detection - collect info request 1"; flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; pcre:"/\x2Ftba\x2F(cm)|(cu)\?/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6238; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Adware searchsquire installtime/auto-update"; flow:to_client,established; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6256; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware comedy planet runtime detection - collect user information"; flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:policy security-ips drop; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7595; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware enbrowser snackman runtime detection"; flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; reference:url,www.popupsentry.com/S/SNACKMAN.EXE-4411.html; reference:url,www.spywareguide.com/spydet_2334_enbrowser.html; classtype:misc-activity; sid:12224; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string"; flow:to_server,established; content:"User-Agent|3A| SpamBlockerUtility 4.8.4"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.hotbar.html; reference:url,www.spywareguide.com/product_show.php?id=481; classtype:misc-activity; sid:12371; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker soso toolbar runtime detection - get weather information"; flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12486; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler pseudorat 0.1b runtime detection"; flow:to_server,established; content:"User-Agent|3A| ZOMBIES_HTTP_GET"; fast_pattern:only; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PseudoRAT&threatid=10053; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079890; classtype:misc-activity; sid:12482; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection"; flow:established,to_server; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:12679; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler mm.exe runtime detection"; flow:from_server,established; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; reference:url,www.auditmypc.com/process/mm.asp; reference:url,www.fbmsoftware.com/spyware-net/process/mm_exe/1960/; classtype:misc-activity; sid:13813; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rcse 4.4 runtime detection - hijack ie browser"; flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rabio&threatid=169974; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:13849; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update"; flow:from_server,established; flowbits:isset,AdWare_Ejik.ec_Detection; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13939; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home"; flow:from_server,established; flowbits:isset,Dropper_Agent.rqg_Detection; content:"|7C|http|3A|//xxx.ads555.com/rj/cc1.exe|7C|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.Win32.Agent.rqg&threatid=289587; reference:url,virscan.org/report/2b00cbb9a861bd3dd79ef19a75de92f8.html; classtype:misc-activity; sid:13936; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Keylogger emptybase j runtime detection"; flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453117299; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html; classtype:successful-recon-limited; sid:14065; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker yoursitebar runtime detection"; flow:to_server,established; content:"User-Agent|3A| istsvc"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=974; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093992; classtype:misc-activity; sid:6281; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware try2find detection"; flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1086; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392; classtype:successful-recon-limited; sid:6189; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware browserpal runtime detection - post user info to server"; flow:to_server,established; content:"User-Agent|3A| Browser Pal"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5954; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer stripplayer runtime detection"; flow:to_server,established; content:"User-Agent|3A| Strip-Player"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=455; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548; classtype:misc-activity; sid:5824; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker smart search runtime detection - get settings"; flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6200; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware windupdates-mediagateway runtime detection - post data"; flow:to_server,established; content:"User-Agent|3A| ZC-Bridge"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094794; classtype:successful-recon-limited; sid:5988; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware forbes runtime detection"; flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=556; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448; classtype:misc-activity; sid:5773; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker painter runtime detection - ping 'alive' signal"; flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5918; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker marketscore runtime detection"; flow:to_server,established; content:"User-Agent|3A| OSSProxy"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=488; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43974; classtype:misc-activity; sid:5760; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopathomeselect runtime detection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware commonname runtime detection"; flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=429; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618; classtype:misc-activity; sid:6212; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker topfive searchassistant detection - post user information to server"; flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5977; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware free access bar runtime detection 1"; flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2493; classtype:misc-activity; sid:5944; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker spediabar user-agent string detected"; flow:to_server,established; content:"User-Agent|3A| Spedia"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6341; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler grokster runtime detection"; flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.securemost.com/articles/rm_grokster.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425; classtype:misc-activity; sid:5776; rev:7;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing"; flow:from_server,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7835; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware roogoo runtime detection - surfing monitor"; flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8545; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware onetoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Adw.OneToolbar&threatid=43856; reference:url,www.spywareguide.com/product_show.php?id=2746; classtype:successful-recon-limited; sid:6191; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcastpc runtime detection - get config"; flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5989; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"<|22|!0 $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server"; flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16116; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trojan.Win32.QQFish contact to server attempt"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:established,to_client; content:"WebViewFolderIcon.WebViewFolderIcon.1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:8419; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Trident HTMLEditor ActiveX Object Access"; flow:from_server,established; content:"3050F4F5-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4F5-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4893; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Mixing Renderer 9 ActiveX Object Access"; flow:from_server,established; content:"51B4ABF3-748F-4E3B-A276-C828330E926A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*51B4ABF3-748F-4E3B-A276-C828330E926A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4902; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|C|00|B|00|1|00|F|00|E|00|3|00|-|00|B|00|0|00|5|00|E|00|-|00|4|00|F|00|0|00|E|00|-|00|8|00|1|00|8|00|F|00|-|00|C|00|8|00|3|00|E|00|D|00|5|00|A|00|0|00|3|00|3|00|2|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x00C\x00B\x001\x00F\x00E\x003\x00-\x00B\x000\x005\x00E\x00-\x004\x00F\x000\x00E\x00-\x008\x001\x008\x00F\x00-\x00C\x008\x003\x00E\x00D\x005\x00A\x000\x003\x003\x002\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7479; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8789; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStFrObject Class ActiveX Object Access"; flow:from_server,established; content:"B3E0E785-BD78-4366-9560-B7DABE2723BE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B3E0E785-BD78-4366-9560-B7DABE2723BE/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4209; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call"; flow:established,to_client; content:"TLI.TLIApplication"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12270; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Certificate Enrollment ActiveX Object Access"; flow:from_server,established; content:"43F8F289-7A20-11D0-8F06-00C04FC295E1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*43F8F289-7A20-11D0-8F06-00C04FC295E1/si"; metadata:policy security-ips drop; reference:bugtraq,5593; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4184; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID access"; flow:established,to_client; content:"B6FFC24C-7E13-11D0-9B47-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FFC24C-7E13-11D0-9B47-00C04FC2F51D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7950; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Index Server Scope Administration ActiveX Object Access"; flow:from_server,established; content:"3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4200; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic WebClass ActiveX Object Access"; flow:from_server,established; content:"6B7F1602-D44C-11D0-A7D9-AE3D17000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B7F1602-D44C-11D0-A7D9-AE3D17000000/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4218; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|B|00|3|00|3|00|9|00|A|00|4|00|6|00|-|00|7|00|C|00|4|00|9|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|B|00|F|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|7|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00B\x003\x003\x009\x00A\x004\x006\x00-\x007\x00C\x004\x009\x00-\x001\x001\x00d\x002\x00-\x009\x00B\x00F\x003\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x007\x008\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8754; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Route ActiveX Object Access"; flow:from_server,established; content:"4CECCEB2-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB2-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6008; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID access"; flow:established,to_client; content:"EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EEED4C20-7F1B-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8011; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|4|00|7|00|7|00|1|00|6|00|9|00|-|00|4|00|7|00|5|00|2|00|-|00|4|00|1|00|D|00|C|00|-|00|A|00|B|00|0|00|F|00|-|00|C|00|5|00|0|00|E|00|B|00|A|00|7|00|5|00|6|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x004\x007\x007\x001\x006\x009\x00-\x004\x007\x005\x002\x00-\x004\x001\x00D\x00C\x00-\x00A\x00B\x000\x00F\x00-\x00C\x005\x000\x00E\x00B\x00A\x007\x005\x006\x004\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7891; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID access"; flow:established,to_client; content:"D670D0B3-05AB-4115-9F87-D983EF1AC747"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D670D0B3-05AB-4115-9F87-D983EF1AC747/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7894; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID access"; flow:established,to_client; content:"4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4EFE2452-168A-11D1-BC76-00C04FB9453B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8029; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID access"; flow:established,to_client; content:"9CDE7341-3C20-11D0-A330-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CDE7341-3C20-11D0-A330-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8801; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8793; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|2|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x002\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7957; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|B|00|9|00|B|00|C|00|E|00|D|00|D|00|-|00|E|00|C|00|7|00|E|00|-|00|4|00|7|00|E|00|1|00|-|00|9|00|3|00|2|00|2|00|-|00|D|00|4|00|A|00|2|00|1|00|0|00|6|00|1|00|7|00|1|00|1|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00B\x009\x00B\x00C\x00E\x00D\x00D\x00-\x00E\x00C\x007\x00E\x00-\x004\x007\x00E\x001\x00-\x009\x003\x002\x002\x00-\x00D\x004\x00A\x002\x001\x000\x006\x001\x007\x001\x001\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8364; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|3|00|5|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x003\x005\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7869; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|0|00|B|00|4|00|7|00|9|00|1|00|F|00|-|00|4|00|7|00|3|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x000\x00B\x004\x007\x009\x001\x00F\x00-\x004\x007\x003\x001\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8745; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID access"; flow:established,to_client; content:"ADC6CB86-424C-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADC6CB86-424C-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7910; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX Object Access"; flow:from_server,established; content:"0002E500-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E500-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4176; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|2|00|B|00|F|00|2|00|5|00|D|00|5|00|-|00|8|00|C|00|1|00|7|00|-|00|4|00|B|00|2|00|3|00|-|00|B|00|C|00|8|00|0|00|-|00|D|00|3|00|4|00|8|00|8|00|A|00|B|00|D|00|D|00|C|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x002\x00B\x00F\x002\x005\x00D\x005\x00-\x008\x00C\x001\x007\x00-\x004\x00B\x002\x003\x00-\x00B\x00C\x008\x000\x00-\x00D\x003\x004\x008\x008\x00A\x00B\x00D\x00D\x00C\x006\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8376; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID access"; flow:established,to_client; content:"E31E87C4-86EA-4940-9B8A-5BD5D179A737"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E31E87C4-86EA-4940-9B8A-5BD5D179A737/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7922; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID access"; flow:established,to_client; content:"1B00725B-C455-4DE6-BFB6-AD540AD427CD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B00725B-C455-4DE6-BFB6-AD540AD427CD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7880; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8781; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"C3DFA998-A486-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3DFA998-A486-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4191; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID access"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6684; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID access"; flow:established,to_client; content:"9be8d7b2-329c-442a-a4ac-aba9d7572602"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9be8d7b2-329c-442a-a4ac-aba9d7572602/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7864; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|5|00|4|00|4|00|C|00|2|00|4|00|-|00|F|00|D|00|0|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|6|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|4|00|B|00|5|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x005\x004\x004\x00C\x002\x004\x00-\x00F\x00D\x000\x00B\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x006\x003\x00-\x000\x000\x00A\x00A\x000\x000\x004\x004\x00B\x005\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7434; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|A|00|4|00|A|00|9|00|9|00|C|00|-|00|8|00|C|00|3|00|D|00|-|00|4|00|9|00|9|00|E|00|-|00|A|00|3|00|8|00|6|00|-|00|E|00|0|00|7|00|4|00|3|00|D|00|F|00|F|00|8|00|F|00|B|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00A\x004\x00A\x009\x009\x00C\x00-\x008\x00C\x003\x00D\x00-\x004\x009\x009\x00E\x00-\x00A\x003\x008\x006\x00-\x00E\x000\x007\x004\x003\x00D\x00F\x00F\x008\x00F\x00B\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8736; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID access"; flow:established,to_client; content:"860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860D28D0-8BF4-11CE-BE59-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8007; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB43-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8045; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID access"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7484; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"1fb464c8-09bb-4017-a2f5-eb742f04392f"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1fb464c8-09bb-4017-a2f5-eb742f04392f/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4185; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID access"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7494; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|B|00|3|00|A|00|E|00|C|00|B|00|-|00|D|00|F|00|D|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|D|00|A|00|A|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|8|00|5|00|C|00|F|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00B\x003\x00A\x00E\x00C\x00B\x00-\x00D\x00F\x00D\x006\x00-\x001\x001\x00D\x001\x00-\x009\x00D\x00A\x00A\x00-\x000\x000\x008\x000\x005\x00F\x008\x005\x00C\x00F\x00E\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7996; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MSVTDGridCtrl7 ActiveX Object Access"; flow:from_server,established; content:"6F9F3481-84DD-4B14-B09C-6B4288ECCDE8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6F9F3481-84DD-4B14-B09C-6B4288ECCDE8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4234; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Trouble Shooter ActiveX Object Access"; flow:from_server,established; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4B106874-DD36-11D0-8B44-00A024DD9EFF/si"; metadata:policy security-ips drop; reference:bugtraq,8833; reference:cve,2003-0662; reference:url,www.microsoft.com/technet/security/bulletin/MS03-042.mspx; classtype:attempted-user; sid:4145; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID access"; flow:established,to_client; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7983; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|4|00|7|00|8|00|F|00|6|00|4|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x004\x007\x008\x00F\x006\x004\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8038; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray ActiveX Object Access"; flow:from_server,established; content:"35CEC8A3-2BE6-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*35CEC8A3-2BE6-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4231; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID access"; flow:established,to_client; content:"D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D99F7670-7F1A-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8009; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8722; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|F|00|9|00|D|00|1|00|0|00|-|00|3|00|B|00|5|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|3|00|E|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x005\x00D\x00F\x009\x00D\x001\x000\x00-\x003\x00B\x005\x002\x00-\x001\x001\x00D\x001\x00-\x008\x003\x00E\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00D\x00C\x008\x004\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7986; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A761-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7991; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|1|00|0|00|8|00|7|00|2|00|7|00|0|00|-|00|D|00|3|00|4|00|8|00|-|00|4|00|3|00|2|00|C|00|-|00|8|00|9|00|9|00|E|00|-|00|2|00|D|00|2|00|F|00|3|00|8|00|F|00|F|00|2|00|9|00|A|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x001\x000\x008\x007\x002\x007\x000\x00-\x00D\x003\x004\x008\x00-\x004\x003\x002\x00C\x00-\x008\x009\x009\x00E\x00-\x002\x00D\x002\x00F\x003\x008\x00F\x00F\x002\x009\x00A\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7489; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8826; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|4|00|2|00|D|00|3|00|8|00|5|00|A|00|-|00|D|00|5|00|B|00|F|00|-|00|4|00|2|00|7|00|D|00|-|00|9|00|A|00|F|00|2|00|-|00|8|00|8|00|2|00|5|00|8|00|F|00|B|00|7|00|3|00|E|00|A|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x004\x002\x00D\x003\x008\x005\x00A\x00-\x00D\x005\x00B\x00F\x00-\x004\x002\x007\x00D\x00-\x009\x00A\x00F\x002\x00-\x008\x008\x002\x005\x008\x00F\x00B\x007\x003\x00E\x00A\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8400; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID access"; flow:established,to_client; content:"7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7849596A-48EA-486E-8937-A2A3009F31A9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7970; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player Active Movie ActiveX Object Access"; flow:from_server,established; content:"05589FA1-C356-11CE-BF01-00AA0055595A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05589FA1-C356-11CE-BF01-00AA0055595A/si"; metadata:policy security-ips drop; reference:bugtraq,1221; reference:cve,2000-0400; classtype:attempted-user; sid:4158; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Marquee Control ActiveX Object Access"; flow:from_server,established; content:"250770F3-6AF2-11CF-A915-008029E31FCD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*250770F3-6AF2-11CF-A915-008029E31FCD/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4203; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|4|00|5|00|B|00|0|00|B|00|0|00|-|00|7|00|2|00|D|00|8|00|-|00|4|00|6|00|5|00|2|00|-|00|A|00|E|00|5|00|F|00|-|00|5|00|E|00|3|00|E|00|2|00|6|00|6|00|B|00|E|00|7|00|E|00|D|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x004\x005\x00B\x000\x00B\x000\x00-\x007\x002\x00D\x008\x00-\x004\x006\x005\x002\x00-\x00A\x00E\x005\x00F\x00-\x005\x00E\x003\x00E\x002\x006\x006\x00B\x00E\x007\x00E\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7453; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Start Menu ActiveX Object Access"; flow:from_server,established; content:"4622AD11-FF23-11D0-8D34-00A0C90F2719"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4622AD11-FF23-11D0-8D34-00A0C90F2719/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4228; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID access"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7446; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ProxyStub Dispatch ActiveX Object Access"; flow:from_server,established; content:"00020420-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020420-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4221; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID access"; flow:established,to_client; content:"65BCBEE4-7728-41A0-97BE-14E1CAE36AAE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*65BCBEE4-7728-41A0-97BE-14E1CAE36AAE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8397; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID access"; flow:established,to_client; content:"A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7898; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8810; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Property Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710C-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710C-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4909; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|6|00|2|00|7|00|9|00|7|00|E|00|-|00|1|00|2|00|4|00|9|00|-|00|4|00|5|00|9|00|6|00|-|00|9|00|F|00|F|00|7|00|-|00|A|00|C|00|6|00|D|00|8|00|5|00|1|00|A|00|5|00|4|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x006\x002\x007\x009\x007\x00E\x00-\x001\x002\x004\x009\x00-\x004\x005\x009\x006\x00-\x009\x00F\x00F\x007\x00-\x00A\x00C\x006\x00D\x008\x005\x001\x00A\x005\x004\x002\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7887; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID access"; flow:established,to_client; content:"3A04D93B-1EDD-4F3F-A375-A03EC19572C4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A04D93B-1EDD-4F3F-A375-A03EC19572C4/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7946; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|5|00|B|00|7|00|F|00|6|00|3|00|-|00|F|00|0|00|6|00|F|00|-|00|4|00|3|00|3|00|1|00|-|00|8|00|A|00|2|00|6|00|-|00|3|00|3|00|9|00|E|00|0|00|3|00|C|00|0|00|A|00|E|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x005\x00B\x007\x00F\x006\x003\x00-\x00F\x000\x006\x00F\x00-\x004\x003\x003\x001\x00-\x008\x00A\x002\x006\x00-\x003\x003\x009\x00E\x000\x003\x00C\x000\x00A\x00E\x003\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8370; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID access"; flow:established,to_client; content:"2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2A6EB050-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8013; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB42-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8043; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8778; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID access"; flow:established,to_client; content:"E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E846F0A0-D367-11D1-8286-00A0C9231C29/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7993; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISupportErrorInfo Interface ActiveX Object Access"; flow:from_server,established; content:"DF0B3D60-548F-101B-8E65-08002B2BD119"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DF0B3D60-548F-101B-8E65-08002B2BD119/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4899; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID access"; flow:established,to_client; content:"68A499C7-F9B0-11D2-93D4-00A0C981B035"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68A499C7-F9B0-11D2-93D4-00A0C981B035/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7882; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MS Audio Decompressor Control Property Page ActiveX Object Access"; flow:from_server,established; content:"8FE7E181-BB96-11D2-A1CB-00609778EA66"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8FE7E181-BB96-11D2-A1CB-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4207; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|D|00|C|00|C|00|4|00|8|00|7|00|-|00|A|00|A|00|4|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|F|00|4|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|1|00|1|00|C|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x00D\x00C\x00C\x004\x008\x007\x00-\x00A\x00A\x004\x008\x00-\x001\x001\x00D\x001\x00-\x008\x00F\x004\x00F\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x006\x001\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8002; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8828; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8817; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8808; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8838; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|7|00|B|00|6|00|C|00|0|00|4|00|A|00|-|00|C|00|B|00|B|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|B|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|4|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x007\x00B\x006\x00C\x000\x004\x00A\x00-\x00C\x00B\x00B\x005\x00-\x001\x001\x00D\x000\x00-\x00B\x00B\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x004\x001\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8022; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID access"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7478; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|E|00|C|00|F|00|5|00|D|00|2|00|E|00|-|00|7|00|A|00|1|00|8|00|-|00|4|00|D|00|D|00|2|00|-|00|B|00|D|00|C|00|D|00|-|00|2|00|9|00|B|00|6|00|F|00|6|00|1|00|5|00|B|00|4|00|4|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00E\x00C\x00F\x005\x00D\x002\x00E\x00-\x007\x00A\x001\x008\x00-\x004\x00D\x00D\x002\x00-\x00B\x00D\x00C\x00D\x00-\x002\x009\x00B\x006\x00F\x006\x001\x005\x00B\x004\x004\x008\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7469; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Files Viewer ActiveX Object Access"; flow:from_server,established; content:"970C7E08-05A7-11D0-89AA-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*970C7E08-05A7-11D0-89AA-00A0C9054129/si"; metadata:policy security-ips drop; reference:bugtraq,5489; reference:cve,2002-0975; reference:url,www.microsoft.com/technet/security/bulletin/MS02-066.mspx; classtype:attempted-user; sid:4179; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID access"; flow:established,to_client; content:"E71B4063-3E59-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E71B4063-3E59-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7924; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|4|00|C|00|7|00|9|00|5|00|9|00|1|00|-|00|D|00|0|00|D|00|E|00|-|00|4|00|9|00|C|00|4|00|-|00|B|00|A|00|3|00|C|00|-|00|A|00|4|00|5|00|A|00|B|00|7|00|0|00|0|00|3|00|3|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x004\x00C\x007\x009\x005\x009\x001\x00-\x00D\x000\x00D\x00E\x00-\x004\x009\x00C\x004\x00-\x00B\x00A\x003\x00C\x00-\x00A\x004\x005\x00A\x00B\x007\x000\x000\x003\x003\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7455; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID access"; flow:established,to_client; content:"1853E19A-4E54-4190-8DEB-2E1CC947CD60"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1853E19A-4E54-4190-8DEB-2E1CC947CD60/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7918; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|4|00|7|00|6|00|C|00|B|00|F|00|F|00|-|00|E|00|2|00|2|00|9|00|-|00|4|00|5|00|2|00|4|00|-|00|B|00|6|00|B|00|7|00|-|00|2|00|2|00|8|00|A|00|3|00|1|00|2|00|9|00|D|00|1|00|C|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x004\x007\x006\x00C\x00B\x00F\x00F\x00-\x00E\x002\x002\x009\x00-\x004\x005\x002\x004\x00-\x00B\x006\x00B\x007\x00-\x002\x002\x008\x00A\x003\x001\x002\x009\x00D\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7471; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8798; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|2|00|3|00|E|00|2|00|8|00|8|00|2|00|-|00|F|00|C|00|0|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|A|00|7|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|6|00|A|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x002\x003\x00E\x002\x008\x008\x002\x00-\x00F\x00C\x000\x00E\x00-\x001\x001\x00D\x001\x00-\x009\x00A\x007\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x006\x00A\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7941; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Record Navigation Control ActiveX Object Access"; flow:from_server,established; content:"0002E531-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4178; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID access"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7480; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|F|00|7|00|6|00|7|00|0|00|-|00|7|00|F|00|1|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x009\x00F\x007\x006\x007\x000\x00-\x007\x00F\x001\x00A\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8010; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Layout ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6002; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID access"; flow:established,to_client; content:"510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*510A4910-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8015; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Generic Class ActiveX Object Access"; flow:from_server,established; content:"4FAAB301-CEF6-477C-9F58-F601039E9B78"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4FAAB301-CEF6-477C-9F58-F601039E9B78/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4212; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Adodb.Stream ActiveX Object Access"; flow:from_server,established; content:"00000566-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:4982; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|1|00|8|00|8|00|F|00|7|00|A|00|3|00|-|00|A|00|0|00|4|00|E|00|-|00|4|00|1|00|3|00|E|00|-|00|9|00|9|00|D|00|1|00|-|00|D|00|7|00|9|00|A|00|4|00|5|00|F|00|7|00|0|00|3|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x001\x008\x008\x00F\x007\x00A\x003\x00-\x00A\x000\x004\x00E\x00-\x004\x001\x003\x00E\x00-\x009\x009\x00D\x001\x00-\x00D\x007\x009\x00A\x004\x005\x00F\x007\x000\x003\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7473; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID access"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7427; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|D|00|0|00|0|00|0|00|2|00|0|00|C|00|-|00|8|00|B|00|9|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|1|00|6|00|2|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00D\x000\x000\x000\x002\x000\x00C\x00-\x008\x00B\x009\x005\x00-\x001\x001\x00D\x001\x00-\x008\x002\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x001\x006\x002\x005\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7907; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:established,to_client; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7985; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray Invoker ActiveX Object Access"; flow:from_server,established; content:"730F6CDC-2C86-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*730F6CDC-2C86-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4232; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell Automation Service ActiveX Object Access"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; metadata:policy security-ips drop; reference:bugtraq,9335; classtype:attempted-user; sid:4168; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|5|00|1|00|6|00|F|00|F|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x005\x001\x006\x00F\x00F\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8036; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"791fa017-2de3-492e-acc5-53c67a2b94d0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*791fa017-2de3-492e-acc5-53c67a2b94d0/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4187; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Active Setup ActiveX Object Access"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; metadata:policy security-ips drop; reference:bugtraq,775; reference:cve,2000-0329; reference:url,www.microsoft.com/technet/security/bulletin/MS99-048.mspx; classtype:attempted-user; sid:4154; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|3|00|E|00|5|00|0|00|B|00|D|00|-|00|A|00|9|00|D|00|7|00|-|00|4|00|7|00|2|00|1|00|-|00|B|00|0|00|E|00|1|00|-|00|0|00|0|00|C|00|B|00|4|00|2|00|A|00|0|00|A|00|7|00|4|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x003\x00E\x005\x000\x00B\x00D\x00-\x00A\x009\x00D\x007\x00-\x004\x007\x002\x001\x00-\x00B\x000\x00E\x001\x00-\x000\x000\x00C\x00B\x004\x002\x00A\x000\x00A\x007\x004\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7430; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID access"; flow:established,to_client; content:"C4D2D8E0-D1DD-11CE-940F-008029004347"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C4D2D8E0-D1DD-11CE-940F-008029004347/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8725; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940280-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940280-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4193; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID access"; flow:established,to_client; content:"03F998B2-0E00-11D3-A498-00104B6EB52E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03F998B2-0E00-11D3-A498-00104B6EB52E/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7878; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|E|00|E|00|4|00|2|00|2|00|9|00|3|00|-|00|C|00|3|00|1|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|6|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|A|00|0|00|6|00|E|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00E\x00E\x004\x002\x002\x009\x003\x00-\x00C\x003\x001\x005\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x006\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x00A\x000\x006\x00E\x001\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7998; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID access"; flow:established,to_client; content:"F9EFBEC2-4302-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9EFBEC2-4302-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6517; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DocHost User Interface Handler ActiveX Object Access"; flow:from_server,established; content:"7057E952-BD1B-11D1-8919-00C04FC2C836"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7057E952-BD1B-11D1-8919-00C04FC2C836/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4226; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX cfw Class ActiveX Object Access"; flow:from_server,established; content:"ECABAFC0-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC0-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4891; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID access"; flow:established,to_client; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47F59200-8783-11D2-8343-00A0C945A819/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8391; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID access"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7492; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID access"; flow:established,to_client; content:"99EA8527-6A6A-40FE-A67C-82CF763902D0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99EA8527-6A6A-40FE-A67C-82CF763902D0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8407; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 7+ ActiveX Object Access"; flow:from_server,established; content:"6BF52A52-394A-11D3-B153-00C04F79FAA6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6BF52A52-394A-11D3-B153-00C04F79FAA6/si"; metadata:policy security-ips drop; reference:bugtraq,12031; reference:bugtraq,12032; reference:bugtraq,2167; reference:cve,2001-0148; reference:cve,2004-1324; reference:cve,2004-1325; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4156; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX clsid access"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7435; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID access"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7448; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|0|00|5|00|E|00|6|00|9|00|0|00|-|00|6|00|7|00|8|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|7|00|5|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|6|00|4|00|F|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x000\x005\x00E\x006\x009\x000\x00-\x006\x007\x008\x00D\x00-\x001\x001\x00D\x001\x00-\x00B\x007\x005\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x006\x004\x00F\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8412; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|4|00|4|00|F|00|4|00|8|00|0|00|6|00|-|00|E|00|8|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|6|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|3|00|0|00|8|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x004\x004\x00F\x004\x008\x000\x006\x00-\x00E\x008\x00A\x008\x00-\x001\x001\x00D\x002\x00-\x009\x006\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x003\x000\x008\x007\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7988; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID access"; flow:established,to_client; content:"D17506C3-6B26-11D0-8914-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D17506C3-6B26-11D0-8914-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8843; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8790; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID access"; flow:established,to_client; content:"18C628EE-962A-11D2-8D08-00A0C9441E20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18C628EE-962A-11D2-8D08-00A0C9441E20/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8379; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Registration Wizard ActiveX Object Access"; flow:from_server,established; content:"50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50E5E3D1-C07E-11D0-B9FD-00A0249F6B00/si"; metadata:policy security-ips drop; reference:bugtraq,671; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4171; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Root ActiveX Object Access"; flow:from_server,established; content:"6E22710F-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710F-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4912; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"BC5F1E51-5110-11D1-AFF5-006097C9A284"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC5F1E51-5110-11D1-AFF5-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4198; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8796; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID access"; flow:established,to_client; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4C6F-AA96-4E4DC6DC291E/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7914; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|2|00|8|00|8|00|3|00|6|00|6|00|7|00|-|00|E|00|9|00|5|00|C|00|-|00|4|00|4|00|3|00|D|00|-|00|A|00|C|00|9|00|6|00|-|00|4|00|C|00|A|00|C|00|A|00|2|00|7|00|B|00|E|00|B|00|6|00|E|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x002\x008\x008\x003\x006\x006\x007\x00-\x00E\x009\x005\x00C\x00-\x004\x004\x003\x00D\x00-\x00A\x00C\x009\x006\x00-\x004\x00C\x00A\x00C\x00A\x002\x007\x00B\x00E\x00B\x006\x00E\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7481; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|9|00|A|00|D|00|9|00|0|00|E|00|F|00|-|00|1|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x009\x00A\x00D\x009\x000\x00E\x00F\x00-\x001\x00C\x002\x000\x00-\x001\x001\x00D\x001\x00-\x008\x008\x000\x001\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7953; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|3|00|1|00|D|00|1|00|1|00|-|00|6|00|F|00|D|00|2|00|-|00|4|00|6|00|5|00|9|00|-|00|A|00|D|00|7|00|5|00|-|00|1|00|5|00|5|00|F|00|A|00|1|00|4|00|3|00|F|00|4|00|2|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x003\x001\x00D\x001\x001\x00-\x006\x00F\x00D\x002\x00-\x004\x006\x005\x009\x00-\x00A\x00D\x007\x005\x00-\x001\x005\x005\x00F\x00A\x001\x004\x003\x00F\x004\x002\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7443; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x007\x00F\x005\x009\x002\x000\x000\x00-\x008\x007\x008\x003\x00-\x001\x001\x00D\x002\x00-\x008\x003\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x004\x005\x00A\x008\x001\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8392; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|C|00|D|00|E|00|7|00|3|00|4|00|1|00|-|00|3|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|3|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00C\x00D\x00E\x007\x003\x004\x001\x00-\x003\x00C\x002\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x003\x000\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8802; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID access"; flow:established,to_client; content:"F1029E5B-CB5B-11D0-8D59-00C04FD91AC0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F1029E5B-CB5B-11D0-8D59-00C04FD91AC0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7974; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|C|00|6|00|8|00|9|00|5|00|5|00|E|00|-|00|F|00|9|00|6|00|5|00|-|00|4|00|2|00|4|00|9|00|-|00|8|00|E|00|1|00|8|00|-|00|F|00|0|00|9|00|7|00|7|00|B|00|1|00|D|00|2|00|8|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00C\x006\x008\x009\x005\x005\x00E\x00-\x00F\x009\x006\x005\x00-\x004\x002\x004\x009\x00-\x008\x00E\x001\x008\x00-\x00F\x000\x009\x007\x007\x00B\x001\x00D\x002\x008\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7438; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|2|00|9|00|0|00|B|00|D|00|5|00|-|00|4|00|8|00|A|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|4|00|3|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|C|00|3|00|F|00|B|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x002\x009\x000\x00B\x00D\x005\x00-\x004\x008\x00A\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x004\x003\x002\x00-\x000\x000\x006\x000\x000\x008\x00C\x003\x00F\x00B\x00F\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8065; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID access"; flow:established,to_client; content:"CD00020C-8B95-11D1-82DB-00C04FB1625D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CD00020C-8B95-11D1-82DB-00C04FB1625D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7906; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|6|00|7|00|0|00|D|00|0|00|B|00|3|00|-|00|0|00|5|00|A|00|B|00|-|00|4|00|1|00|1|00|5|00|-|00|9|00|F|00|8|00|7|00|-|00|D|00|9|00|8|00|3|00|E|00|F|00|1|00|A|00|C|00|7|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x006\x007\x000\x00D\x000\x00B\x003\x00-\x000\x005\x00A\x00B\x00-\x004\x001\x001\x005\x00-\x009\x00F\x008\x007\x00-\x00D\x009\x008\x003\x00E\x00F\x001\x00A\x00C\x007\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7895; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|8|00|A|00|4|00|9|00|9|00|C|00|7|00|-|00|F|00|9|00|B|00|0|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|D|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|8|00|1|00|B|00|0|00|3|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x008\x00A\x004\x009\x009\x00C\x007\x00-\x00F\x009\x00B\x000\x00-\x001\x001\x00D\x002\x00-\x009\x003\x00D\x004\x00-\x000\x000\x00A\x000\x00C\x009\x008\x001\x00B\x000\x003\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7883; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|1|00|0|00|5|00|B|00|C|00|3|00|-|00|C|00|0|00|6|00|4|00|-|00|4|00|5|00|F|00|1|00|-|00|A|00|D|00|5|00|3|00|-|00|6|00|D|00|8|00|A|00|8|00|5|00|7|00|8|00|D|00|0|00|1|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x001\x000\x005\x00B\x00C\x003\x00-\x00C\x000\x006\x004\x00-\x004\x005\x00F\x001\x00-\x00A\x00D\x005\x003\x00-\x006\x00D\x008\x00A\x008\x005\x007\x008\x00D\x000\x001\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7491; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID access"; flow:established,to_client; content:"283807B5-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B5-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8765; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06723E09-F4C2-43c8-8358-09FCD1DB0766/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8373; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8819; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT PolyLine Control 2 ActiveX Object Access"; flow:from_server,established; content:"D24D4453-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4453-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4204; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|D|00|3|00|6|00|C|00|E|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00D\x003\x006\x00C\x00E\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8024; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4163; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Progress Ctl ActiveX Object Access"; flow:from_server,established; content:"0006F071-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F071-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4900; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|1|00|7|00|5|00|0|00|6|00|C|00|3|00|-|00|6|00|B|00|2|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x001\x007\x005\x000\x006\x00C\x003\x00-\x006\x00B\x002\x006\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x004\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8844; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|1|00|0|00|A|00|4|00|9|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x001\x000\x00A\x004\x009\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8016; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|0|00|C|00|0|00|7|00|D|00|5|00|6|00|-|00|7|00|C|00|6|00|9|00|-|00|4|00|3|00|F|00|1|00|-|00|B|00|4|00|A|00|0|00|-|00|2|00|5|00|F|00|5|00|A|00|1|00|1|00|F|00|A|00|B|00|1|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x000\x00C\x000\x007\x00D\x005\x006\x00-\x007\x00C\x006\x009\x00-\x004\x003\x00F\x001\x00-\x00B\x004\x00A\x000\x00-\x002\x005\x00F\x005\x00A\x001\x001\x00F\x00A\x00B\x001\x009\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8368; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|F|00|1|00|5|00|8|00|E|00|1|00|-|00|C|00|B|00|0|00|4|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|E|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00F\x001\x005\x008\x00E\x001\x00-\x00C\x00B\x000\x004\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x00E\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8050; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|1|00|1|00|4|00|5|00|5|00|5|00|0|00|-|00|A|00|4|00|5|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|9|00|0|00|2|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|2|00|3|00|9|00|0|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x001\x001\x004\x005\x005\x005\x000\x00-\x00A\x004\x005\x004\x00-\x001\x001\x00D\x004\x00-\x009\x000\x002\x000\x00-\x000\x000\x00D\x000\x00B\x007\x002\x003\x009\x000\x008\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7889; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID access"; flow:established,to_client; content:"AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF604EFE-8897-11D1-B944-00A0C90312E1/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7948; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Interface Definition ActiveX Object Access"; flow:from_server,established; content:"6E227109-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227109-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4906; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC1-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC1-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8834; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|F|00|B|00|1|00|F|00|C|00|7|00|-|00|2|00|7|00|0|00|D|00|-|00|4|00|9|00|8|00|6|00|-|00|B|00|2|00|9|00|9|00|-|00|F|00|E|00|C|00|F|00|3|00|F|00|0|00|E|00|4|00|2|00|D|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00F\x00B\x001\x00F\x00C\x007\x00-\x002\x007\x000\x00D\x00-\x004\x009\x008\x006\x00-\x00B\x002\x009\x009\x00-\x00F\x00E\x00C\x00F\x003\x00F\x000\x00E\x004\x002\x00D\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7449; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID access"; flow:established,to_client; content:"18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18AB439E-FCF4-40D4-90DA-F79BAA3B0655/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7999; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|9|00|A|00|2|00|C|00|2|00|A|00|6|00|-|00|4|00|7|00|7|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|B|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x009\x00A\x002\x00C\x002\x00A\x006\x00-\x004\x007\x007\x008\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x00B\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7432; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8768; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID access"; flow:established,to_client; content:"FD853CD9-7F86-11D0-8252-00C04FD85AB4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD853CD9-7F86-11D0-8252-00C04FD85AB4/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7916; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID access"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7450; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|1|00|2|00|3|00|2|00|E|00|E|00|-|00|4|00|4|00|D|00|7|00|-|00|4|00|4|00|9|00|4|00|-|00|A|00|B|00|8|00|B|00|-|00|C|00|C|00|6|00|1|00|B|00|1|00|0|00|E|00|2|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x001\x002\x003\x002\x00E\x00E\x00-\x004\x004\x00D\x007\x00-\x004\x004\x009\x004\x00-\x00A\x00B\x008\x00B\x00-\x00C\x00C\x006\x001\x00B\x001\x000\x00E\x002\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7485; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft TipGW Init ActiveX Object Access"; flow:from_server,established; content:"F117831B-C052-11D1-B1C0-00C04FC2F3EF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F117831B-C052-11D1-B1C0-00C04FC2F3EF/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4214; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|D|00|4|00|5|00|2|00|9|00|E|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|5|00|5|00|0|00|-|00|A|00|2|00|E|00|0|00|-|00|C|00|2|00|5|00|D|00|7|00|C|00|5|00|C|00|C|00|0|00|D|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00D\x004\x005\x002\x009\x00E\x00-\x008\x004\x00E\x000\x00-\x004\x005\x005\x000\x00-\x00A\x002\x00E\x000\x00-\x00C\x002\x005\x00D\x007\x00C\x005\x00C\x00C\x000\x00D\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7457; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID access"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7476; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID access"; flow:established,to_client; content:"B1549E58-3894-11D2-BB7F-00A0C999C4C1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1549E58-3894-11D2-BB7F-00A0C999C4C1/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8750; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID access"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7464; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|C|00|6|00|2|00|8|00|E|00|E|00|-|00|9|00|6|00|2|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|D|00|0|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|4|00|1|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00C\x006\x002\x008\x00E\x00E\x00-\x009\x006\x002\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x00D\x000\x008\x00-\x000\x000\x00A\x000\x00C\x009\x004\x004\x001\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8380; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository ActiveX Object Access"; flow:from_server,established; content:"6E227101-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227101-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4225; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Image Control 1.0 ActiveX Object Access"; flow:from_server,established; content:"D4A97620-8E8F-11CF-93CD-00AA00C08FDF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D4A97620-8E8F-11CF-93CD-00AA00C08FDF/si"; metadata:policy security-ips drop; reference:bugtraq,12477; reference:url,www.microsoft.com/technet/security/bulletin/MS05-014.mspx; classtype:attempted-user; sid:4165; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|3|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x003\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7955; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID access"; flow:established,to_client; content:"E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0F158E1-CB04-11D0-BD4E-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8049; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|B|00|B|00|3|00|1|00|0|00|-|00|5|00|D|00|0|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|3|00|B|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00B\x00B\x003\x001\x000\x00-\x005\x00D\x000\x001\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x003\x00B\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8042; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8787; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|C|00|A|00|B|00|B|00|0|00|B|00|F|00|-|00|7|00|F|00|1|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|7|00|8|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|7|00|E|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00C\x00A\x00B\x00B\x000\x00B\x00F\x00-\x007\x00F\x001\x009\x00-\x001\x001\x00D\x002\x00-\x009\x007\x008\x00E\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x007\x00E\x002\x00A\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8034; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access"; flow:from_server,established; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; metadata:policy security-ips drop; reference:bugtraq,793; reference:cve,1999-1110; classtype:attempted-user; sid:4152; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID access"; flow:established,to_client; content:"8241F015-84D3-11d2-97E6-0000F803FF7A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8241F015-84D3-11d2-97E6-0000F803FF7A/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7912; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|E|00|F|00|1|00|0|00|F|00|A|00|2|00|-|00|3|00|5|00|5|00|E|00|-|00|4|00|E|00|0|00|6|00|-|00|9|00|3|00|8|00|1|00|-|00|9|00|B|00|2|00|4|00|D|00|7|00|F|00|7|00|C|00|C|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00E\x00F\x001\x000\x00F\x00A\x002\x00-\x003\x005\x005\x00E\x00-\x004\x00E\x000\x006\x00-\x009\x003\x008\x001\x00-\x009\x00B\x002\x004\x00D\x007\x00F\x007\x00C\x00C\x008\x008\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7931; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Query Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"2C10A98F-D64F-43B4-BED6-DD0E1BF2074C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C10A98F-D64F-43B4-BED6-DD0E1BF2074C/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4233; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|b|00|e|00|8|00|d|00|7|00|b|00|2|00|-|00|3|00|2|00|9|00|c|00|-|00|4|00|4|00|2|00|a|00|-|00|a|00|4|00|a|00|c|00|-|00|a|00|b|00|a|00|9|00|d|00|7|00|5|00|7|00|2|00|6|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00b\x00e\x008\x00d\x007\x00b\x002\x00-\x003\x002\x009\x00c\x00-\x004\x004\x002\x00a\x00-\x00a\x004\x00a\x00c\x00-\x00a\x00b\x00a\x009\x00d\x007\x005\x007\x002\x006\x000\x002\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7865; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID access"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7429; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID access"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7490; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID access"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7496; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8822; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8783; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|7|00|4|00|C|00|A|00|7|00|0|00|F|00|-|00|2|00|2|00|3|00|6|00|-|00|4|00|B|00|A|00|8|00|-|00|A|00|2|00|9|00|7|00|-|00|4|00|B|00|2|00|A|00|2|00|8|00|C|00|2|00|3|00|6|00|3|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x004\x00C\x00A\x007\x000\x00F\x00-\x002\x002\x003\x006\x00-\x004\x00B\x00A\x008\x00-\x00A\x002\x009\x007\x00-\x004\x00B\x002\x00A\x002\x008\x00C\x002\x003\x006\x003\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7459; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID access"; flow:established,to_client; content:"F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7920; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|2|00|4|00|1|00|D|00|B|00|1|00|-|00|E|00|E|00|9|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|2|00|4|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|C|00|9|00|9|00|E|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x002\x004\x001\x00D\x00B\x001\x00-\x00E\x00E\x009\x00F\x00-\x001\x001\x00D\x000\x00-\x009\x008\x002\x004\x00-\x000\x000\x006\x000\x009\x007\x00C\x009\x009\x00E\x005\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8763; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|B|00|2|00|3|00|C|00|2|00|8|00|-|00|4|00|8|00|8|00|E|00|-|00|4|00|e|00|5|00|C|00|-|00|A|00|C|00|E|00|2|00|-|00|B|00|B|00|0|00|B|00|B|00|A|00|B|00|E|00|9|00|9|00|E|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00B\x002\x003\x00C\x002\x008\x00-\x004\x008\x008\x00E\x00-\x004\x00e\x005\x00C\x00-\x00A\x00C\x00E\x002\x00-\x00B\x00B\x000\x00B\x00B\x00A\x00B\x00E\x009\x009\x00E\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:7441; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID access"; flow:established,to_client; content:"63500AE2-0858-11D2-8CE4-00C04F8ECB10"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63500AE2-0858-11D2-8CE4-00C04F8ECB10/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8395; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"F107317A-A488-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F107317A-A488-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4173; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Script Definition ActiveX Object Access"; flow:from_server,established; content:"D675E22B-CAE9-11D2-AF7B-00C04F99179F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D675E22B-CAE9-11D2-AF7B-00C04F99179F/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4914; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|D|00|5|00|8|00|8|00|B|00|5|00|-|00|D|00|0|00|8|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|9|00|E|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|8|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x00D\x005\x008\x008\x00B\x005\x00-\x00D\x000\x008\x001\x00-\x001\x001\x00D\x000\x00-\x009\x009\x00E\x000\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x008\x00E\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8052; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID access"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6686; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|0|00|0|00|2|00|B|00|1|00|7|00|-|00|5|00|D|00|9|00|3|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|1|00|E|00|4|00|-|00|8|00|3|00|1|00|F|00|E|00|F|00|7|00|8|00|0|00|A|00|5|00|3|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x000\x000\x002\x00B\x001\x007\x00-\x005\x00D\x009\x003\x00-\x004\x005\x005\x001\x00-\x008\x001\x00E\x004\x00-\x008\x003\x001\x00F\x00E\x00F\x007\x008\x000\x00A\x005\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7483; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID access"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; metadata:policy security-ips drop; reference:cve,2006-1303; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6681; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|C|00|C|00|D|00|D|00|F|00|-|00|C|00|A|00|2|00|8|00|-|00|4|00|9|00|6|00|b|00|-|00|B|00|0|00|5|00|0|00|-|00|6|00|C|00|0|00|7|00|C|00|9|00|6|00|2|00|4|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x00C\x00C\x00D\x00D\x00F\x00-\x00C\x00A\x002\x008\x00-\x004\x009\x006\x00b\x00-\x00B\x000\x005\x000\x00-\x006\x00C\x000\x007\x00C\x009\x006\x002\x004\x007\x006\x00B\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8718; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID access"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7452; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT Icon Control ActiveX Object Access"; flow:from_server,established; content:"D24D4450-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4450-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6006; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|E|00|0|00|4|00|5|00|8|00|1|00|-|00|4|00|E|00|E|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|F|00|E|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|B|00|4|00|3|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x00E\x000\x004\x005\x008\x001\x00-\x004\x00E\x00E\x00E\x00-\x001\x001\x00D\x000\x00-\x00B\x00F\x00E\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x00B\x004\x003\x008\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8020; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8829; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID access"; flow:established,to_client; content:"FD179533-D86E-11D0-89D6-00A0C90833E6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD179533-D86E-11D0-89D6-00A0C90833E6/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8756; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|B|00|E|00|B|00|8|00|A|00|0|00|5|00|-|00|B|00|E|00|E|00|E|00|-|00|4|00|4|00|4|00|2|00|-|00|8|00|0|00|4|00|E|00|-|00|4|00|0|00|9|00|D|00|6|00|C|00|4|00|5|00|1|00|5|00|E|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00B\x00E\x00B\x008\x00A\x000\x005\x00-\x00B\x00E\x00E\x00E\x00-\x004\x004\x004\x002\x00-\x008\x000\x004\x00E\x00-\x004\x000\x009\x00D\x006\x00C\x004\x005\x001\x005\x00E\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7977; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network and Dial-Up Connections ActiveX Object Access"; flow:from_server,established; content:"992CFFA0-F557-101A-88EC-00DD010CCC48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*992CFFA0-F557-101A-88EC-00DD010CCC48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4220; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID access"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7468; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ActiveLabel ActiveX Object Access"; flow:from_server,established; content:"99B42120-6EC7-11CF-A6C7-00AA00A47DD2"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99B42120-6EC7-11CF-A6C7-00AA00A47DD2/si"; metadata:policy security-ips drop; reference:bugtraq,5558; reference:cve,2002-0647; reference:url,www.microsoft.com/technet/security/bulletin/MS02-047.mspx; classtype:attempted-user; sid:4147; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID access"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7470; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|0|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x000\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8018; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Smartcard Enrollment ActiveX Object Access"; flow:from_server,established; content:"80CB7887-20DE-11D2-8D5C-00C04FC29D45"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80CB7887-20DE-11D2-8D5C-00C04FC29D45/si"; metadata:policy security-ips drop; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4181; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8832; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|8|00|5|00|A|00|9|00|1|00|B|00|C|00|-|00|1|00|E|00|8|00|A|00|-|00|4|00|E|00|4|00|A|00|-|00|A|00|7|00|A|00|6|00|-|00|F|00|4|00|F|00|C|00|1|00|E|00|6|00|C|00|A|00|1|00|B|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x008\x005\x00A\x009\x001\x00B\x00C\x00-\x001\x00E\x008\x00A\x00-\x004\x00E\x004\x00A\x00-\x00A\x007\x00A\x006\x00-\x00F\x004\x00F\x00C\x001\x00E\x006\x00C\x00A\x001\x00B\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7927; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8748; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID access"; flow:established,to_client; content:"0006F03A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F03A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8371; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation ActiveX Object Access"; flow:from_server,established; content:"283807B8-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B8-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4202; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8816; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8804; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeInfo ActiveX Object Access"; flow:from_server,established; content:"00020422-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020422-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4895; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8814; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A762-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8047; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"FF2BBC4A-6881-4294-BE0C-17535B1FCCFA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FF2BBC4A-6881-4294-BE0C-17535B1FCCFA/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4161; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID access"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7462; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Multimedia File Property Sheet ActiveX Object Access"; flow:from_server,established; content:"00022613-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00022613-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,5094; classtype:attempted-user; sid:4159; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID access"; flow:established,to_client; content:"760C4B83-E211-11D2-BF3E-00805FBE84A6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*760C4B83-E211-11D2-BF3E-00805FBE84A6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8401; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"25B0F91C-D23D-11D0-9B85-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25B0F91C-D23D-11D0-9B85-00C04FC2F51D/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8741; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft OpenCable Class ActiveX Object Access"; flow:from_server,established; content:"ABBA001B-3075-11D6-88A4-00B0D0200F88"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ABBA001B-3075-11D6-88A4-00B0D0200F88/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4223; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSOAInterface ActiveX Object Access"; flow:from_server,established; content:"00020424-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020424-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4897; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BA018599-1DB3-44f9-83B4-461454C84BF8/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8719; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|9|00|E|00|1|00|3|00|2|00|F|00|-|00|5|00|6|00|1|00|B|00|-|00|4|00|2|00|F|00|8|00|-|00|8|00|4|00|6|00|C|00|-|00|A|00|7|00|0|00|D|00|B|00|D|00|C|00|6|00|2|00|9|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x009\x00E\x001\x003\x002\x00F\x00-\x005\x006\x001\x00B\x00-\x004\x002\x00F\x008\x00-\x008\x004\x006\x00C\x00-\x00A\x007\x000\x00D\x00B\x00D\x00C\x006\x002\x009\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7487; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8771; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8840; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|8|00|6|00|8|00|3|00|0|00|4|00|-|00|A|00|B|00|0|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|6|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x008\x006\x008\x003\x000\x004\x00-\x00A\x00B\x000\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x007\x006\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8775; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX Object Access"; flow:from_server,established; content:"41B23C28-488E-4e5C-ACE2-BB0BBABE99E8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41B23C28-488E-4e5C-ACE2-BB0BBABE99E8/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:4183; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID access"; flow:established,to_client; content:"98BFD494-F6AD-4794-9038-832C0654CC43"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98BFD494-F6AD-4794-9038-832C0654CC43/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7900; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID access"; flow:established,to_client; content:"639F725F-1B2D-4831-A9FD-874847682010"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*639F725F-1B2D-4831-A9FD-874847682010/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8365; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|6|00|6|00|D|00|6|00|6|00|F|00|A|00|-|00|9|00|6|00|1|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|4|00|2|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|A|00|E|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x006\x006\x00D\x006\x006\x00F\x00A\x00-\x009\x006\x001\x006\x00-\x001\x001\x00D\x002\x00-\x009\x003\x004\x002\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x00A\x00E\x001\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8032; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Services on the Web Free/Busy ActiveX Object Access"; flow:from_server,established; content:"F28D867A-DDB1-11D3-B8E8-00A0C981AEEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F28D867A-DDB1-11D3-B8E8-00A0C981AEEB/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4217; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|D|00|C|00|6|00|C|00|B|00|8|00|6|00|-|00|4|00|2|00|4|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00D\x00C\x006\x00C\x00B\x008\x006\x00-\x004\x002\x004\x00C\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7911; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMI ASDI Extension ActiveX Object Access"; flow:from_server,established; content:"F0975AFE-5C7F-11D2-8B74-00104B2AFB41"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F0975AFE-5C7F-11D2-8B74-00104B2AFB41/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4236; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID access"; flow:established,to_client; content:"FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD78D554-4C6E-11D0-970D-00A0C9191601/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8005; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|A|00|0|00|1|00|8|00|5|00|9|00|9|00|-|00|1|00|D|00|B|00|3|00|-|00|4|00|4|00|f|00|9|00|-|00|8|00|3|00|B|00|4|00|-|00|4|00|6|00|1|00|4|00|5|00|4|00|C|00|8|00|4|00|B|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00A\x000\x001\x008\x005\x009\x009\x00-\x001\x00D\x00B\x003\x00-\x004\x004\x00f\x009\x00-\x008\x003\x00B\x004\x00-\x004\x006\x001\x004\x005\x004\x00C\x008\x004\x00B\x00F\x008\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8720; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Alias ActiveX Object Access"; flow:from_server,established; content:"62EC9F22-5E30-11D2-97A1-00C04FB6DD9A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*62EC9F22-5E30-11D2-97A1-00C04FB6DD9A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4904; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D20-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D20-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7956; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID access"; flow:established,to_client; content:"53C74826-AB99-4D33-ACA4-3117F51D3788"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*53C74826-AB99-4D33-ACA4-3117F51D3788/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7932; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|0|00|5|00|0|00|F|00|3|00|9|00|1|00|-|00|9|00|8|00|B|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|B|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|C|00|E|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x000\x005\x000\x00F\x003\x009\x001\x00-\x009\x008\x00B\x005\x00-\x001\x001\x00C\x00F\x00-\x00B\x00B\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x00D\x00C\x00E\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8026; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID access"; flow:established,to_client; content:"85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85BBD920-42A0-1069-A2E4-08002B30309D/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8039; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Route ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6003; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|2|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x002\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8048; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Picture Shape Control ActiveX Object Access"; flow:from_server,established; content:"6CBE0382-A879-4D2A-8EC3-1F2A43611BA8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6CBE0382-A879-4D2A-8EC3-1F2A43611BA8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4213; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID access"; flow:established,to_client; content:"85A4A99C-8C3D-499E-A386-E0743DFF8FB7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85A4A99C-8C3D-499E-A386-E0743DFF8FB7/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8735; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|D|00|2|00|8|00|D|00|0|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00D\x002\x008\x00D\x000\x00-\x008\x00B\x00F\x004\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8008; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID access"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7466; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access"; flow:established,to_client; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F5B7F63-F06F-4331-8A26-339E03C0AE3D/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8369; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|D|00|0|00|8|00|B|00|5|00|8|00|6|00|-|00|3|00|4|00|3|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|4|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|F|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00D\x000\x008\x00B\x005\x008\x006\x00-\x003\x004\x003\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x004\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00F\x00D\x00F\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8028; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Helper Object for Java ActiveX Object Access"; flow:from_server,established; content:"8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4235; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|C|00|0|00|D|00|6|00|9|00|A|00|8|00|-|00|0|00|9|00|2|00|3|00|-|00|4|00|E|00|E|00|E|00|-|00|9|00|3|00|7|00|5|00|-|00|9|00|2|00|3|00|9|00|F|00|5|00|A|00|3|00|8|00|B|00|9|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00C\x000\x00D\x006\x009\x00A\x008\x00-\x000\x009\x002\x003\x00-\x004\x00E\x00E\x00E\x00-\x009\x003\x007\x005\x00-\x009\x002\x003\x009\x00F\x005\x00A\x003\x008\x00B\x009\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7426; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID access"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7454; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|8|00|6|00|F|00|B|00|4|00|8|00|6|00|-|00|5|00|5|00|6|00|0|00|-|00|4|00|F|00|F|00|3|00|-|00|9|00|6|00|D|00|F|00|-|00|1|00|1|00|1|00|8|00|C|00|9|00|6|00|A|00|F|00|4|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x008\x006\x00F\x00B\x004\x008\x006\x00-\x005\x005\x006\x000\x00-\x004\x00F\x00F\x003\x00-\x009\x006\x00D\x00F\x00-\x001\x001\x001\x008\x00C\x009\x006\x00A\x00F\x004\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7501; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|3|00|C|00|7|00|4|00|8|00|2|00|6|00|-|00|A|00|B|00|9|00|9|00|-|00|4|00|D|00|3|00|3|00|-|00|A|00|C|00|A|00|4|00|-|00|3|00|1|00|1|00|7|00|F|00|5|00|1|00|D|00|3|00|7|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x003\x00C\x007\x004\x008\x002\x006\x00-\x00A\x00B\x009\x009\x00-\x004\x00D\x003\x003\x00-\x00A\x00C\x00A\x004\x00-\x003\x001\x001\x007\x00F\x005\x001\x00D\x003\x007\x008\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7933; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID access"; flow:established,to_client; content:"67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DCC487-AA48-11D1-8F4F-00C04FB611C7/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8001; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7875; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSAPP Export Support for Microsoft Access ActiveX Object Access"; flow:from_server,established; content:"98CB4060-D3E7-42A1-8D65-949D34EBFE14"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98CB4060-D3E7-42A1-8D65-949D34EBFE14/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4229; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID access"; flow:established,to_client; content:"844F4806-E8A8-11D2-9652-00C04FC30871"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*844F4806-E8A8-11D2-9652-00C04FC30871/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7987; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|D|00|A|00|2|00|A|00|A|00|3|00|E|00|-|00|3|00|D|00|9|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|2|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00D\x00A\x002\x00A\x00A\x003\x00E\x00-\x003\x00D\x009\x006\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x002\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7445; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|5|00|0|00|0|00|A|00|E|00|2|00|-|00|0|00|8|00|5|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|C|00|E|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|8|00|E|00|C|00|B|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x005\x000\x000\x00A\x00E\x002\x00-\x000\x008\x005\x008\x00-\x001\x001\x00D\x002\x00-\x008\x00C\x00E\x004\x00-\x000\x000\x00C\x000\x004\x00F\x008\x00E\x00C\x00B\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8396; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID access"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7442; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Setup BBS 4.71.0.10 ActiveX Object Access"; flow:from_server,established; content:"8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8F0F5093-0A70-11D0-BCA9-00C04FD85AA6/si"; metadata:policy security-ips drop; reference:bugtraq,668; reference:cve,1999-1484; classtype:attempted-user; sid:4157; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Stream ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|6|00|6|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x006\x006\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:8062; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID access"; flow:established,to_client; content:"0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0D43FE01-F093-11CF-8940-00A0C9054228/si"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8069; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|1|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x001\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7992; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|6|00|F|00|F|00|C|00|2|00|4|00|C|00|-|00|7|00|E|00|1|00|3|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|4|00|7|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x006\x00F\x00F\x00C\x002\x004\x00C\x00-\x007\x00E\x001\x003\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x004\x007\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7951; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|B|00|4|00|3|00|9|00|E|00|-|00|F|00|C|00|F|00|4|00|-|00|4|00|0|00|D|00|4|00|-|00|9|00|0|00|D|00|A|00|-|00|F|00|7|00|9|00|B|00|A|00|A|00|3|00|B|00|0|00|6|00|5|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00A\x00B\x004\x003\x009\x00E\x00-\x00F\x00C\x00F\x004\x00-\x004\x000\x00D\x004\x00-\x009\x000\x00D\x00A\x00-\x00F\x007\x009\x00B\x00A\x00A\x003\x00B\x000\x006\x005\x005\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8000; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Reporting Tool ActiveX Object Access"; flow:from_server,established; content:"167701E3-FDCF-11D0-A48E-006097C549FF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*167701E3-FDCF-11D0-A48E-006097C549FF/si"; metadata:policy security-ips drop; reference:bugtraq,8454; reference:cve,2003-0530; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; classtype:attempted-user; sid:4160; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8807; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStEsObject Class ActiveX Object Access"; flow:from_server,established; content:"4CFB5280-800B-4367-848F-5A13EBF27F1D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CFB5280-800B-4367-848F-5A13EBF27F1D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4208; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|1|00|C|00|6|00|6|00|9|00|C|00|7|00|-|00|E|00|D|00|D|00|D|00|-|00|4|00|2|00|7|00|7|00|-|00|B|00|F|00|5|00|E|00|-|00|6|00|4|00|8|00|0|00|7|00|C|00|B|00|8|00|D|00|C|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x001\x00C\x006\x006\x009\x00C\x007\x00-\x00E\x00D\x00D\x00D\x00-\x004\x002\x007\x007\x00-\x00B\x00F\x005\x00E\x00-\x006\x004\x008\x000\x007\x00C\x00B\x008\x00D\x00C\x00E\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8394; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Active Setup ActiveX Object Access"; flow:from_server,established; content:"F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1/si"; metadata:policy security-ips drop; reference:bugtraq,667; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4169; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|F|00|9|00|9|00|C|00|6|00|B|00|-|00|A|00|3|00|A|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|F|00|6|00|4|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|6|00|1|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x00F\x009\x009\x00C\x006\x00B\x00-\x00A\x003\x00A\x006\x00-\x001\x001\x00D\x004\x00-\x00A\x00F\x006\x004\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x006\x001\x007\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7893; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID access"; flow:established,to_client; content:"06290BD5-48AA-11D2-8432-006008C3FBFC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06290BD5-48AA-11D2-8432-006008C3FBFC/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8064; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8825; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RDS.Dataspace ActiveX Object Access"; flow:from_server,established; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD96C556-65A3-11D0-983A-00C04FC29E36/si"; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:6009; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|D|00|4|00|3|00|F|00|E|00|0|00|1|00|-|00|F|00|0|00|9|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|4|00|2|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8070; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Circular Auto Layout Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406342-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406342-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6004; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|8|00|A|00|B|00|E|00|1|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|4|00|1|00|C|00|1|00|-|00|A|00|B|00|A|00|3|00|-|00|0|00|5|00|1|00|B|00|6|00|F|00|1|00|1|00|2|00|B|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x008\x00A\x00B\x00E\x001\x002\x003\x00-\x00F\x00A\x00C\x004\x00-\x004\x001\x00C\x001\x00-\x00A\x00B\x00A\x003\x00-\x000\x005\x001\x00B\x006\x00F\x001\x001\x002\x00B\x008\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7885; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|E|00|E|00|D|00|4|00|C|00|2|00|0|00|-|00|7|00|F|00|1|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00E\x00E\x00D\x004\x00C\x002\x000\x00-\x007\x00F\x001\x00B\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8012; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MTSEvents Class ActiveX Object Access"; flow:from_server,established; content:"ECABB0AB-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0AB-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4892; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID access"; flow:established,to_client; content:"C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8021; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections Tray ActiveX Object Access"; flow:from_server,established; content:"7007ACCF-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACCF-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4219; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID access"; flow:established,to_client; content:"BB339A46-7C49-11d2-9BF3-00C04FA34789"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB339A46-7C49-11d2-9BF3-00C04FA34789/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8753; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID access"; flow:established,to_client; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AB9BCEDD-EC7E-47E1-9322-D4A210617116/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8363; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|1|00|B|00|0|00|9|00|0|00|6|00|6|00|-|00|C|00|9|00|5|00|C|00|-|00|4|00|E|00|F|00|6|00|-|00|8|00|D|00|F|00|D|00|-|00|3|00|D|00|D|00|0|00|A|00|F|00|E|00|6|00|1|00|0|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x001\x00B\x000\x009\x000\x006\x006\x00-\x00C\x009\x005\x00C\x00-\x004\x00E\x00F\x006\x00-\x008\x00D\x00F\x00D\x00-\x003\x00D\x00D\x000\x00A\x00F\x00E\x006\x001\x000\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7899; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"F27CE930-4CA3-11D1-AFF2-006097C9A284"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F27CE930-4CA3-11D1-AFF2-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4199; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8777; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID access"; flow:established,to_client; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8375; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID access"; flow:established,to_client; content:"9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9478F640-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8037; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call"; flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID access"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7425; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Msb1geen.dll ActiveX Object Access"; flow:from_server,established; content:"208DD6A3-E12B-4755-9607-2E39EF84CFC5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*208DD6A3-E12B-4755-9607-2E39EF84CFC5/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4210; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HHOpen ActiveX Object Access"; flow:from_server,established; content:"130D7743-5F5A-11D1-B676-00A0C9697233"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*130D7743-5F5A-11D1-B676-00A0C9697233/si"; metadata:policy security-ips drop; reference:bugtraq,669; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4192; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID access"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7433; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Relationship Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710D-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710D-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4910; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|3|00|3|00|4|00|4|00|D|00|8|00|-|00|7|00|0|00|D|00|3|00|-|00|4|00|0|00|3|00|2|00|-|00|9|00|B|00|3|00|2|00|-|00|7|00|A|00|3|00|C|00|A|00|D|00|5|00|0|00|9|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x003\x003\x004\x004\x00D\x008\x00-\x007\x000\x00D\x003\x00-\x004\x000\x003\x002\x00-\x009\x00B\x003\x002\x00-\x007\x00A\x003\x00C\x00A\x00D\x005\x000\x009\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6685; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|5|00|3|00|E|00|1|00|9|00|A|00|-|00|4|00|E|00|5|00|4|00|-|00|4|00|1|00|9|00|0|00|-|00|8|00|D|00|E|00|B|00|-|00|2|00|E|00|1|00|C|00|C|00|9|00|4|00|7|00|C|00|D|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x005\x003\x00E\x001\x009\x00A\x00-\x004\x00E\x005\x004\x00-\x004\x001\x009\x000\x00-\x008\x00D\x00E\x00B\x00-\x002\x00E\x001\x00C\x00C\x009\x004\x007\x00C\x00D\x006\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7919; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID access"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7456; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8747; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8823; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|B|00|B|00|D|00|9|00|2|00|0|00|-|00|4|00|2|00|A|00|0|00|-|00|1|00|0|00|6|00|9|00|-|00|A|00|2|00|E|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|B|00|3|00|0|00|3|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00B\x00B\x00D\x009\x002\x000\x00-\x004\x002\x00A\x000\x00-\x001\x000\x006\x009\x00-\x00A\x002\x00E\x004\x00-\x000\x008\x000\x000\x002\x00B\x003\x000\x003\x000\x009\x00D\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8040; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft VideoPort ActiveX Object Access"; flow:from_server,established; content:"CE292861-FC88-11D0-9E69-00C04FD7C15B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CE292861-FC88-11D0-9E69-00C04FD7C15B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4224; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Eyedog ActiveX Object Access"; flow:from_server,established; content:"06A7EC63-4E21-11D0-A112-00A0C90543AA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06A7EC63-4E21-11D0-A112-00A0C90543AA/si"; metadata:policy security-ips drop; reference:bugtraq,619; reference:cve,1999-0669; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:4153; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|3|00|1|00|E|00|8|00|7|00|C|00|4|00|-|00|8|00|6|00|E|00|A|00|-|00|4|00|9|00|4|00|0|00|-|00|9|00|B|00|8|00|A|00|-|00|5|00|B|00|D|00|5|00|D|00|1|00|7|00|9|00|A|00|7|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x003\x001\x00E\x008\x007\x00C\x004\x00-\x008\x006\x00E\x00A\x00-\x004\x009\x004\x000\x00-\x009\x00B\x008\x00A\x00-\x005\x00B\x00D\x005\x00D\x001\x007\x009\x00A\x007\x003\x007\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7923; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID access"; flow:established,to_client; content:"4F241DB1-EE9F-11D0-9824-006097C99E51"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F241DB1-EE9F-11D0-9824-006097C99E51/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8762; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|D|00|2|00|D|00|8|00|E|00|0|00|-|00|D|00|1|00|D|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|4|00|0|00|F|00|-|00|0|00|0|00|8|00|0|00|2|00|9|00|0|00|0|00|4|00|3|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x00D\x002\x00D\x008\x00E\x000\x00-\x00D\x001\x00D\x00D\x00-\x001\x001\x00C\x00E\x00-\x009\x004\x000\x00F\x00-\x000\x000\x008\x000\x002\x009\x000\x000\x004\x003\x004\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8726; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID access"; flow:established,to_client; content:"B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0516FF0-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8035; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|9|00|5|00|0|00|4|00|B|00|8|00|-|00|5|00|0|00|D|00|1|00|-|00|4|00|A|00|A|00|8|00|-|00|B|00|4|00|D|00|6|00|-|00|9|00|5|00|C|00|8|00|F|00|5|00|8|00|A|00|6|00|4|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x009\x005\x000\x004\x00B\x008\x00-\x005\x000\x00D\x001\x00-\x004\x00A\x00A\x008\x00-\x00B\x004\x00D\x006\x00-\x009\x005\x00C\x008\x00F\x005\x008\x00A\x006\x004\x001\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7984; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|3|00|0|00|F|00|D|00|0|00|2|00|C|00|-|00|B|00|B|00|E|00|7|00|-|00|4|00|E|00|B|00|9|00|-|00|9|00|1|00|C|00|F|00|-|00|F|00|C|00|4|00|5|00|C|00|C|00|9|00|1|00|E|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x003\x000\x00F\x00D\x000\x002\x00C\x00-\x00B\x00B\x00E\x007\x00-\x004\x00E\x00B\x009\x00-\x009\x001\x00C\x00F\x00-\x00F\x00C\x004\x005\x00C\x00C\x009\x001\x00E\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7493; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|3|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x003\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8046; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|D|00|2|00|B|00|8|00|4|00|1|00|-|00|7|00|6|00|9|00|2|00|-|00|4|00|C|00|8|00|3|00|-|00|A|00|F|00|D|00|3|00|-|00|F|00|6|00|0|00|E|00|8|00|4|00|5|00|3|00|4|00|1|00|A|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00D\x002\x00B\x008\x004\x001\x00-\x007\x006\x009\x002\x00-\x004\x00C\x008\x003\x00-\x00A\x00F\x00D\x003\x00-\x00F\x006\x000\x00E\x008\x004\x005\x003\x004\x001\x00A\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7499; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections ActiveX Object Access"; flow:from_server,established; content:"7007ACC7-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACC7-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4227; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|E|00|F|00|B|00|E|00|C|00|2|00|-|00|4|00|3|00|0|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x00E\x00F\x00B\x00E\x00C\x002\x00-\x004\x003\x000\x002\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6518; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|B|00|4|00|B|00|0|00|5|00|E|00|B|00|-|00|1|00|F|00|6|00|3|00|-|00|4|00|4|00|6|00|B|00|-|00|A|00|A|00|D|00|1|00|-|00|E|00|1|00|0|00|A|00|3|00|4|00|D|00|6|00|5|00|0|00|E|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00B\x004\x00B\x000\x005\x00E\x00B\x00-\x001\x00F\x006\x003\x00-\x004\x004\x006\x00B\x00-\x00A\x00A\x00D\x001\x00-\x00E\x001\x000\x00A\x003\x004\x00D\x006\x005\x000\x00E\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7447; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID access"; flow:established,to_client; content:"742D385A-D5BF-427D-9AF2-88258FB73EAF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*742D385A-D5BF-427D-9AF2-88258FB73EAF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8399; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8786; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940285-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940285-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4186; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|9|00|E|00|A|00|8|00|5|00|2|00|7|00|-|00|6|00|A|00|6|00|A|00|-|00|4|00|0|00|F|00|E|00|-|00|A|00|6|00|7|00|C|00|-|00|8|00|2|00|C|00|F|00|7|00|6|00|3|00|9|00|0|00|2|00|D|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x009\x00E\x00A\x008\x005\x002\x007\x00-\x006\x00A\x006\x00A\x00-\x004\x000\x00F\x00E\x00-\x00A\x006\x007\x00C\x00-\x008\x002\x00C\x00F\x007\x006\x003\x009\x000\x002\x00D\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8408; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX function call"; flow:established,to_client; content:"DirectAnimation.DATuple"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7436; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID access"; flow:established,to_client; content:"B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7995; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Method Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710B-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710B-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4908; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|3|00|5|00|D|00|C|00|2|00|2|00|-|00|1|00|C|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|B|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|5|00|8|00|A|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x003\x005\x00D\x00C\x002\x002\x00-\x001\x00C\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x00B\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x005\x008\x00A\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8067; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|4|00|6|00|F|00|0|00|A|00|0|00|-|00|D|00|3|00|6|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|8|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|2|00|3|00|1|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x004\x006\x00F\x000\x00A\x000\x00-\x00D\x003\x006\x007\x00-\x001\x001\x00D\x001\x00-\x008\x002\x008\x006\x00-\x000\x000\x00A\x000\x00C\x009\x002\x003\x001\x00C\x002\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7994; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID access"; flow:established,to_client; content:"B0A6BAE2-AAF0-11D0-A152-00A0C908DB96"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0A6BAE2-AAF0-11D0-A152-00A0C908DB96/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8759; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|0|00|D|00|0|00|7|00|6|00|C|00|5|00|-|00|E|00|4|00|C|00|6|00|-|00|4|00|5|00|6|00|1|00|-|00|8|00|B|00|F|00|4|00|-|00|8|00|0|00|D|00|A|00|8|00|D|00|B|00|8|00|1|00|9|00|D|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x000\x00D\x000\x007\x006\x00C\x005\x00-\x00E\x004\x00C\x006\x00-\x004\x005\x006\x001\x00-\x008\x00B\x00F\x004\x00-\x008\x000\x00D\x00A\x008\x00D\x00B\x008\x001\x009\x00D\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7428; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID access"; flow:established,to_client; content:"52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8003; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|6|00|7|00|3|00|D|00|C|00|F|00|2|00|-|00|C|00|3|00|1|00|6|00|-|00|4|00|C|00|6|00|F|00|-|00|A|00|A|00|9|00|6|00|-|00|4|00|E|00|4|00|D|00|C|00|6|00|D|00|C|00|2|00|9|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x006\x007\x003\x00D\x00C\x00F\x002\x00-\x00C\x003\x001\x006\x00-\x004\x00C\x006\x00F\x00-\x00A\x00A\x009\x006\x00-\x004\x00E\x004\x00D\x00C\x006\x00D\x00C\x002\x009\x001\x00E\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7915; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|8|00|4|00|9|00|5|00|9|00|6|00|A|00|-|00|4|00|8|00|E|00|A|00|-|00|4|00|8|00|6|00|E|00|-|00|8|00|9|00|3|00|7|00|-|00|A|00|2|00|A|00|3|00|0|00|0|00|9|00|F|00|3|00|1|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x008\x004\x009\x005\x009\x006\x00A\x00-\x004\x008\x00E\x00A\x00-\x004\x008\x006\x00E\x00-\x008\x009\x003\x007\x00-\x00A\x002\x00A\x003\x000\x000\x009\x00F\x003\x001\x00A\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7971; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|A|00|6|00|E|00|B|00|0|00|5|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00A\x006\x00E\x00B\x000\x005\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8014; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID access"; flow:established,to_client; content:"C1145550-A454-11D4-9020-00D0B7239081"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C1145550-A454-11D4-9020-00D0B7239081/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7888; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID access"; flow:established,to_client; content:"D9F99C6B-A3A6-11D4-AF64-444553546170"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D9F99C6B-A3A6-11D4-AF64-444553546170/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7892; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID access"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7498; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID access"; flow:established,to_client; content:"50B4791F-4731-11D0-8912-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50B4791F-4731-11D0-8912-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8744; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID access"; flow:established,to_client; content:"B005E690-678D-11D1-B758-00A0C90564FE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B005E690-678D-11D1-B758-00A0C90564FE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8411; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR Allocator Presenter 9 ActiveX Object Access"; flow:from_server,established; content:"2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4901; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|C|00|B|00|0|00|8|00|C|00|E|00|-|00|A|00|B|00|3|00|D|00|-|00|4|00|7|00|7|00|9|00|-|00|9|00|C|00|7|00|7|00|-|00|6|00|2|00|A|00|4|00|3|00|9|00|B|00|F|00|E|00|6|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00C\x00B\x000\x008\x00C\x00E\x00-\x00A\x00B\x003\x00D\x00-\x004\x007\x007\x009\x00-\x009\x00C\x007\x007\x00-\x006\x002\x00A\x004\x003\x009\x00B\x00F\x00E\x006\x00C\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7897; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|1|00|5|00|4|00|9|00|E|00|5|00|8|00|-|00|3|00|8|00|9|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|B|00|7|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|9|00|9|00|C|00|4|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x001\x005\x004\x009\x00E\x005\x008\x00-\x003\x008\x009\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00B\x007\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x009\x009\x00C\x004\x00C\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8751; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|A|00|0|00|4|00|D|00|9|00|3|00|B|00|-|00|1|00|E|00|D|00|D|00|-|00|4|00|F|00|3|00|F|00|-|00|A|00|3|00|7|00|5|00|-|00|A|00|0|00|3|00|E|00|C|00|1|00|9|00|5|00|7|00|2|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00A\x000\x004\x00D\x009\x003\x00B\x00-\x001\x00E\x00D\x00D\x00-\x004\x00F\x003\x00F\x00-\x00A\x003\x007\x005\x00-\x00A\x000\x003\x00E\x00C\x001\x009\x005\x007\x002\x00C\x004\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7947; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeComp ActiveX Object Access"; flow:from_server,established; content:"00020425-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020425-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4898; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MPEG-4 Video Decompressor Property Page ActiveX Object Access"; flow:from_server,established; content:"598EBA02-B49A-11D2-A1C1-00609778EA66"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*598EBA02-B49A-11D2-A1C1-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4206; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID access"; flow:established,to_client; content:"69AD90EF-1C20-11D1-8801-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69AD90EF-1C20-11D1-8801-00C04FC29D46/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7952; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX IAVIStream & IAVIFile Proxy ActiveX Object Access"; flow:from_server,established; content:"0002000D-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002000D-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4890; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Queued Components Recorder ActiveX Object Access"; flow:from_server,established; content:"ECABAFC2-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC2-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4201; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8820; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX htmlfile ActiveX Object Access"; flow:from_server,established; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy security-ips drop; reference:bugtraq,1718; reference:cve,2001-0149; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4155; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|2|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x002\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8044; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID access"; flow:established,to_client; content:"9F8E6421-3D9B-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F8E6421-3D9B-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7936; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8837; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID access"; flow:established,to_client; content:"6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D36CE10-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8023; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8780; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|5|00|3|00|3|00|5|00|9|00|C|00|1|00|-|00|3|00|9|00|E|00|1|00|-|00|4|00|9|00|1|00|b|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|6|00|4|00|F|00|D|00|8|00|A|00|B|00|0|00|7|00|1|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x005\x003\x003\x005\x009\x00C\x001\x00-\x003\x009\x00E\x001\x00-\x004\x009\x001\x00b\x00-\x009\x009\x005\x001\x00-\x004\x006\x004\x00F\x00D\x008\x00A\x00B\x000\x007\x001\x00C\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6683; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID access"; flow:established,to_client; content:"00000535-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000535-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7868; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|7|00|1|00|B|00|4|00|0|00|6|00|3|00|-|00|3|00|E|00|5|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x007\x001\x00B\x004\x000\x006\x003\x00-\x003\x00E\x005\x009\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7925; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8799; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID access"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7474; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8769; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID access"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7458; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|8|00|E|00|6|00|4|00|2|00|1|00|-|00|3|00|D|00|9|00|B|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x008\x00E\x006\x004\x002\x001\x00-\x003\x00D\x009\x00B\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7937; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|8|00|5|00|3|00|C|00|D|00|9|00|-|00|7|00|F|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|2|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|5|00|A|00|B|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x008\x005\x003\x00C\x00D\x009\x00-\x007\x00F\x008\x006\x00-\x001\x001\x00D\x000\x00-\x008\x002\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x005\x00A\x00B\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7917; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|E|00|E|00|4|00|3|00|D|00|6|00|-|00|B|00|F|00|E|00|5|00|-|00|4|00|4|00|B|00|0|00|-|00|8|00|0|00|6|00|3|00|-|00|A|00|C|00|3|00|B|00|2|00|9|00|6|00|6|00|A|00|B|00|2|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x00E\x00E\x004\x003\x00D\x006\x00-\x00B\x00F\x00E\x005\x00-\x004\x004\x00B\x000\x00-\x008\x000\x006\x003\x00-\x00A\x00C\x003\x00B\x002\x009\x006\x006\x00A\x00B\x002\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7497; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|E|00|A|00|1|00|0|00|0|00|3|00|1|00|-|00|0|00|0|00|3|00|3|00|-|00|4|00|5|00|0|00|E|00|-|00|8|00|0|00|7|00|2|00|-|00|E|00|2|00|7|00|D|00|9|00|E|00|7|00|6|00|8|00|1|00|4|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00E\x00A\x001\x000\x000\x003\x001\x00-\x000\x000\x003\x003\x00-\x004\x005\x000\x00E\x00-\x008\x000\x007\x002\x00-\x00E\x002\x007\x00D\x009\x00E\x007\x006\x008\x001\x004\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7463; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID access"; flow:established,to_client; content:"0002E552-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E552-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7874; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|3|00|F|00|9|00|9|00|8|00|B|00|2|00|-|00|0|00|E|00|0|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|A|00|4|00|9|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|E|00|B|00|5|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x003\x00F\x009\x009\x008\x00B\x002\x00-\x000\x00E\x000\x000\x00-\x001\x001\x00D\x003\x00-\x00A\x004\x009\x008\x00-\x000\x000\x001\x000\x004\x00B\x006\x00E\x00B\x005\x002\x00E\x00/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7879; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|D|00|2|00|0|00|D|00|4|00|B|00|B|00|-|00|B|00|4|00|7|00|E|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|3|00|B|00|D|00|-|00|E|00|3|00|C|00|2|00|E|00|E|00|2|00|5|00|0|00|D|00|2|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00D\x002\x000\x00D\x004\x00B\x00B\x00-\x00B\x004\x007\x00E\x00-\x004\x00F\x00B\x007\x00-\x008\x003\x00B\x00D\x00-\x00E\x003\x00C\x002\x00E\x00E\x002\x005\x000\x00D\x002\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7475; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Third-Party Plugin ActiveX Object Access"; flow:from_server,established; content:"06DD38D3-D187-11CF-A80D-00C04FD74AD8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06DD38D3-D187-11CF-A80D-00C04FD74AD8/si"; metadata:policy security-ips drop; reference:cve,2003-0233; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-user; sid:4189; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID access"; flow:established,to_client; content:"860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860BB310-5D01-11D0-BD3B-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8041; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D30-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D30-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7954; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8772; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Outllib.dll ActiveX Object Access"; flow:from_server,established; content:"0006F02A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F02A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4222; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID access"; flow:established,to_client; content:"FEF10FA2-355E-4E06-9381-9B24D7F7CC88"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FEF10FA2-355E-4E06-9381-9B24D7F7CC88/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7930; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor Source Properties ActiveX Object Access"; flow:from_server,established; content:"0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CF32AA1-7571-11D0-93C4-00AA00A3DDEA/si"; metadata:policy security-ips drop; reference:bugtraq,7384; classtype:attempted-user; sid:4151; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RAV Online Scanner ActiveX Object Access"; flow:from_server,established; content:"D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249/si"; metadata:policy security-ips drop; reference:bugtraq,11448; reference:cve,2004-0936; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4188; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|2|00|4|00|1|00|F|00|0|00|1|00|5|00|-|00|8|00|4|00|D|00|3|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|7|00|E|00|6|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|3|00|F|00|F|00|7|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x002\x004\x001\x00F\x000\x001\x005\x00-\x008\x004\x00D\x003\x00-\x001\x001\x00d\x002\x00-\x009\x007\x00E\x006\x00-\x000\x000\x000\x000\x00F\x008\x000\x003\x00F\x00F\x007\x00A\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7913; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID access"; flow:established,to_client; content:"8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8EE42293-C315-11D0-8D6F-00A0C9A06E1F/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7997; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID access"; flow:established,to_client; content:"ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0BF-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8033; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access"; flow:established,to_client; content:"8B21775E-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12269; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID access"; flow:established,to_client; content:"623E2882-FC0E-11D1-9A77-0000F8756A10"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*623E2882-FC0E-11D1-9A77-0000F8756A10/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7940; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8CCCDDF-CA28-496b-B050-6C07C962476B/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8717; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID access"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7437; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID access"; flow:established,to_client; content:"D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2923B86-15F1-46FF-A19A-DE825F919576/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7989; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID access"; flow:established,to_client; content:"61C669C7-EDDD-4277-BF5E-64807CB8DCEF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*61C669C7-EDDD-4277-BF5E-64807CB8DCEF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8393; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|1|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x001\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8835; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Type Library ActiveX Object Access"; flow:from_server,established; content:"6E22710E-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710E-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4911; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|E|00|F|00|E|00|2|00|4|00|5|00|2|00|-|00|1|00|6|00|8|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|C|00|7|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|9|00|4|00|5|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00E\x00F\x00E\x002\x004\x005\x002\x00-\x001\x006\x008\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x00C\x007\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x009\x004\x005\x003\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8030; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|0|00|0|00|7|00|2|00|5|00|B|00|-|00|C|00|4|00|5|00|5|00|-|00|4|00|D|00|E|00|6|00|-|00|B|00|F|00|B|00|6|00|-|00|A|00|D|00|5|00|4|00|0|00|A|00|D|00|4|00|2|00|7|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x000\x000\x007\x002\x005\x00B\x00-\x00C\x004\x005\x005\x00-\x004\x00D\x00E\x006\x00-\x00B\x00F\x00B\x006\x00-\x00A\x00D\x005\x004\x000\x00A\x00D\x004\x002\x007\x00C\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7881; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|D|00|A|00|8|00|9|00|A|00|-|00|0|00|9|00|6|00|6|00|-|00|4|00|B|00|9|00|1|00|-|00|9|00|C|00|1|00|8|00|-|00|A|00|B|00|6|00|9|00|F|00|0|00|9|00|8|00|1|00|8|00|7|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00E\x00D\x00A\x008\x009\x00A\x00-\x000\x009\x006\x006\x00-\x004\x00B\x009\x001\x00-\x009\x00C\x001\x008\x00-\x00A\x00B\x006\x009\x00F\x000\x009\x008\x001\x008\x007\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7467; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Collection Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710A-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710A-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4907; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8841; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shortcut Handler ActiveX Object Access"; flow:from_server,established; content:"00021401-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00021401-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4915; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|1|00|0|00|2|00|9|00|E|00|5|00|B|00|-|00|C|00|B|00|5|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|5|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|1|00|A|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x001\x000\x002\x009\x00E\x005\x00B\x00-\x00C\x00B\x005\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x005\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x009\x001\x00A\x00C\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7975; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID access"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7444; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|2|00|C|00|A|00|3|00|B|00|C|00|F|00|-|00|3|00|B|00|9|00|B|00|-|00|4|00|1|00|9|00|E|00|-|00|A|00|3|00|D|00|6|00|-|00|5|00|D|00|2|00|8|00|C|00|0|00|B|00|0|00|B|00|5|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x002\x00C\x00A\x003\x00B\x00C\x00F\x00-\x003\x00B\x009\x00B\x00-\x004\x001\x009\x00E\x00-\x00A\x003\x00D\x006\x00-\x005\x00D\x002\x008\x00C\x000\x00B\x000\x00B\x005\x000\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8004; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|D|00|C|00|8|00|D|00|D|00|9|00|-|00|2|00|C|00|C|00|1|00|-|00|4|00|0|00|8|00|1|00|-|00|9|00|B|00|2|00|B|00|-|00|2|00|0|00|D|00|7|00|0|00|3|00|0|00|2|00|3|00|4|00|E|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00D\x00C\x008\x00D\x00D\x009\x00-\x002\x00C\x00C\x001\x00-\x004\x000\x008\x001\x00-\x009\x00B\x002\x00B\x00-\x002\x000\x00D\x007\x000\x003\x000\x002\x003\x004\x00E\x00F\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6680; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8811; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID access"; flow:established,to_client; content:"385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7926; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4164; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID access"; flow:established,to_client; content:"A8ABE123-FAC4-41C1-ABA3-051B6F112B83"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8ABE123-FAC4-41C1-ABA3-051B6F112B83/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7884; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID access"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7472; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|7|00|2|00|3|00|E|00|0|00|9|00|-|00|F|00|4|00|C|00|2|00|-|00|4|00|3|00|c|00|8|00|-|00|8|00|3|00|5|00|8|00|-|00|0|00|9|00|F|00|C|00|D|00|1|00|D|00|B|00|0|00|7|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x007\x002\x003\x00E\x000\x009\x00-\x00F\x004\x00C\x002\x00-\x004\x003\x00c\x008\x00-\x008\x003\x005\x008\x00-\x000\x009\x00F\x00C\x00D\x001\x00D\x00B\x000\x007\x006\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8374; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A760-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8017; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|5|00|B|00|0|00|F|00|9|00|1|00|C|00|-|00|D|00|2|00|3|00|D|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|8|00|5|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x005\x00B\x000\x00F\x009\x001\x00C\x00-\x00D\x002\x003\x00D\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x008\x005\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8742; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeLib ActiveX Object Access"; flow:from_server,established; content:"00020423-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020423-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4896; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|6|00|0|00|4|00|E|00|F|00|E|00|-|00|8|00|8|00|9|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|4|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|1|00|2|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x006\x000\x004\x00E\x00F\x00E\x00-\x008\x008\x009\x007\x00-\x001\x001\x00D\x001\x00-\x00B\x009\x004\x004\x00-\x000\x000\x00A\x000\x00C\x009\x000\x003\x001\x002\x00E\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7949; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|D|00|4|00|C|00|9|00|F|00|E|00|F|00|-|00|E|00|D|00|8|00|0|00|-|00|4|00|7|00|E|00|A|00|-|00|A|00|3|00|F|00|A|00|-|00|3|00|2|00|1|00|5|00|F|00|D|00|B|00|B|00|3|00|3|00|A|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00D\x004\x00C\x009\x00F\x00E\x00F\x00-\x00E\x00D\x008\x000\x00-\x004\x007\x00E\x00A\x00-\x00A\x003\x00F\x00A\x00-\x003\x002\x001\x005\x00F\x00D\x00B\x00B\x003\x003\x00A\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7477; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID access"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7486; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|1|00|7|00|9|00|5|00|3|00|3|00|-|00|D|00|8|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x001\x007\x009\x005\x003\x003\x00-\x00D\x008\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8757; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Popup Window ActiveX Object Access"; flow:from_server,established; content:"3050F667-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F667-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4215; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID access"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7890; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|A|00|6|00|B|00|A|00|E|00|2|00|-|00|A|00|A|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|1|00|5|00|2|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|D|00|B|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x00A\x006\x00B\x00A\x00E\x002\x00-\x00A\x00A\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x001\x005\x002\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x00D\x00B\x009\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8760; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D0C07D56-7C69-43F1-B4A0-25F5A11FAB19/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8367; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|5|00|B|00|C|00|B|00|E|00|E|00|4|00|-|00|7|00|7|00|2|00|8|00|-|00|4|00|1|00|A|00|0|00|-|00|9|00|7|00|B|00|E|00|-|00|1|00|4|00|E|00|1|00|C|00|A|00|E|00|3|00|6|00|A|00|A|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x005\x00B\x00C\x00B\x00E\x00E\x004\x00-\x007\x007\x002\x008\x00-\x004\x001\x00A\x000\x00-\x009\x007\x00B\x00E\x00-\x001\x004\x00E\x001\x00C\x00A\x00E\x003\x006\x00A\x00A\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8398; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID access"; flow:established,to_client; content:"AF868304-AB0B-11D0-876A-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF868304-AB0B-11D0-876A-00C04FC29D46/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8774; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|9|00|2|00|3|00|B|00|8|00|6|00|-|00|1|00|5|00|F|00|1|00|-|00|4|00|6|00|F|00|F|00|-|00|A|00|1|00|9|00|A|00|-|00|D|00|E|00|8|00|2|00|5|00|F|00|9|00|1|00|9|00|5|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x009\x002\x003\x00B\x008\x006\x00-\x001\x005\x00F\x001\x00-\x004\x006\x00F\x00F\x00-\x00A\x001\x009\x00A\x00-\x00D\x00E\x008\x002\x005\x00F\x009\x001\x009\x005\x007\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7990; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Library Shape Control ActiveX Object Access"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4211; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|8|00|B|00|F|00|D|00|4|00|9|00|4|00|-|00|F|00|6|00|A|00|D|00|-|00|4|00|7|00|9|00|4|00|-|00|9|00|0|00|3|00|8|00|-|00|8|00|3|00|2|00|C|00|0|00|6|00|5|00|4|00|C|00|C|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x008\x00B\x00F\x00D\x004\x009\x004\x00-\x00F\x006\x00A\x00D\x00-\x004\x007\x009\x004\x00-\x009\x000\x003\x008\x00-\x008\x003\x002\x00C\x000\x006\x005\x004\x00C\x00C\x004\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7901; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Share Point Portal Services Log Sink ActiveX Object Access"; flow:from_server,established; content:"DE4735F3-7532-4895-93DC-9A10C4257173"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DE4735F3-7532-4895-93DC-9A10C4257173/si"; metadata:policy security-ips drop; reference:bugtraq,12646; reference:bugtraq,14515; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB837253; classtype:attempted-user; sid:4146; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID access"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7431; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Straight Line Routing Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406343-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406343-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6005; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID access"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7488; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|9|00|F|00|7|00|2|00|5|00|F|00|-|00|1|00|B|00|2|00|D|00|-|00|4|00|8|00|3|00|1|00|-|00|A|00|9|00|F|00|D|00|-|00|8|00|7|00|4|00|8|00|4|00|7|00|6|00|8|00|2|00|0|00|1|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x009\x00F\x007\x002\x005\x00F\x00-\x001\x00B\x002\x00D\x00-\x004\x008\x003\x001\x00-\x00A\x009\x00F\x00D\x00-\x008\x007\x004\x008\x004\x007\x006\x008\x002\x000\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8366; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID access"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7500; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CComAcctImport ActiveX Object Access"; flow:from_server,established; content:"1AA06BA1-0E88-11D1-8391-00C04FBD7C09"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1AA06BA1-0E88-11D1-8391-00C04FBD7C09/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4216; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|4|00|C|00|6|00|5|00|C|00|7|00|-|00|F|00|D|00|F|00|1|00|-|00|4|00|5|00|3|00|D|00|-|00|8|00|9|00|A|00|5|00|-|00|B|00|C|00|C|00|2|00|8|00|F|00|5|00|D|00|6|00|9|00|F|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x004\x00C\x006\x005\x00C\x007\x00-\x00F\x00D\x00F\x001\x00-\x004\x005\x003\x00D\x00-\x008\x009\x00A\x005\x00-\x00B\x00C\x00C\x002\x008\x00F\x005\x00D\x006\x009\x00F\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7495; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Search Assistant UI ActiveX Object Access"; flow:from_server,established; content:"47C6C527-6204-4F91-849D-66E234DEE015"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47C6C527-6204-4F91-849D-66E234DEE015/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4230; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID access"; flow:established,to_client; content:"0006F033-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F033-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8721; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID access"; flow:established,to_client; content:"01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01E04581-4EEE-11D0-BFE9-00AA005B4383/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8019; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID access"; flow:established,to_client; content:"466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*466D66FA-9616-11D2-9342-0000F875AE17/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8031; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID access"; flow:established,to_client; content:"3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F391-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8025; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|7|00|8|00|D|00|5|00|5|00|4|00|-|00|4|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|7|00|0|00|D|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|9|00|1|00|6|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x007\x008\x00D\x005\x005\x004\x00-\x004\x00C\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x009\x007\x000\x00D\x00-\x000\x000\x00A\x000\x00C\x009\x001\x009\x001\x006\x000\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8006; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR ImageSync 9 ActiveX Object Access"; flow:from_server,established; content:"E4979309-7A32-495E-8A92-7B014AAD4961"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E4979309-7A32-495E-8A92-7B014AAD4961/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4903; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|C|00|B|00|1|00|6|00|2|00|3|00|E|00|-|00|B|00|B|00|E|00|C|00|-|00|4|00|E|00|8|00|D|00|-|00|B|00|2|00|D|00|F|00|-|00|D|00|C|00|0|00|8|00|C|00|6|00|F|00|4|00|6|00|2|00|7|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00C\x00B\x001\x006\x002\x003\x00E\x00-\x00B\x00B\x00E\x00C\x00-\x004\x00E\x008\x00D\x00-\x00B\x002\x00D\x00F\x00-\x00D\x00C\x000\x008\x00C\x006\x00F\x004\x006\x002\x007\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7461; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8805; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|8|00|F|00|2|00|0|00|9|00|F|00|8|00|-|00|4|00|8|00|0|00|E|00|-|00|4|00|5|00|4|00|C|00|-|00|9|00|4|00|A|00|4|00|-|00|5|00|3|00|9|00|2|00|D|00|8|00|8|00|E|00|B|00|A|00|0|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x008\x00F\x002\x000\x009\x00F\x008\x00-\x004\x008\x000\x00E\x00-\x004\x005\x004\x00C\x00-\x009\x004\x00A\x004\x00-\x005\x003\x009\x002\x00D\x008\x008\x00E\x00B\x00A\x000\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7465; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID access"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7460; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|2|00|C|00|3|00|F|00|A|00|A|00|E|00|-|00|C|00|8|00|A|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|C|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|D|00|5|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x002\x00C\x003\x00F\x00A\x00A\x00E\x00-\x00C\x008\x00A\x00C\x00-\x001\x001\x00D\x000\x00-\x00B\x00C\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00D\x005\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7921; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Workspace ActiveX Object Access"; flow:from_server,established; content:"B1D4ED44-EE64-11D0-97E6-00C04FC30B4A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1D4ED44-EE64-11D0-97E6-00C04FC30B4A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4913; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Symantec RuFSI registry Information Class ActiveX Object Access"; flow:from_server,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; metadata:policy security-ips drop; reference:bugtraq,8008; reference:cve,2003-0470; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4174; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Thumbnail Image ActiveX Object Access"; flow:from_server,established; content:"E1A6B8A0-3603-101C-AC6E-040224009C02"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E1A6B8A0-3603-101C-AC6E-040224009C02/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4190; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID access"; flow:established,to_client; content:"5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5D08B586-343A-11D0-AD46-00C04FD8FDFF/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8027; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX clsid access"; flow:established,to_client; content:"5b7524c8-2446-40e9-9474-94a779dba224"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14764; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8784; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000/2002 Web Components PivotTable ActiveX Object Access"; flow:from_server,established; content:"0002E520-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E520-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4175; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID access"; flow:established,to_client; content:"D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2D588B5-D081-11D0-99E0-00C04FC2F8EC/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8051; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8795; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Chat v4.5, 4.6 ActiveX Object Access"; flow:from_server,established; content:"9088E688-063A-4806-A3DB-6522712FC061"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9088E688-063A-4806-A3DB-6522712FC061/si"; metadata:policy security-ips drop; reference:bugtraq,4707; reference:cve,2002-0155; reference:url,www.microsoft.com/technet/security/bulletin/MS02-022.mspx; classtype:attempted-user; sid:4182; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSEnumVariant ActiveX Object Access"; flow:from_server,established; content:"00020421-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020421-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4894; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID access"; flow:established,to_client; content:"9F62797E-1249-4596-9FF7-AC6D851A542A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F62797E-1249-4596-9FF7-AC6D851A542A/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7886; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID access"; flow:established,to_client; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F935DC22-1CF0-11D0-ADB9-00C04FD58A0B/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8066; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Layout ActiveX Object Access"; flow:from_server,established; content:"4CECCEB1-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB1-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6007; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8831; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Object ActiveX Object Access"; flow:from_server,established; content:"6E2270FB-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E2270FB-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4905; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|4|00|4|00|B|00|B|00|2|00|D|00|0|00|-|00|F|00|0|00|7|00|0|00|-|00|4|00|6|00|3|00|E|00|-|00|9|00|4|00|3|00|3|00|-|00|B|00|0|00|C|00|C|00|F|00|3|00|C|00|F|00|D|00|6|00|2|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x004\x004\x00B\x00B\x002\x00D\x000\x00-\x00F\x000\x007\x000\x00-\x004\x006\x003\x00E\x00-\x009\x004\x003\x003\x00-\x00B\x000\x00C\x00C\x00F\x003\x00C\x00F\x00D\x006\x002\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7451; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|8|00|3|00|8|00|0|00|7|00|B|00|5|00|-|00|2|00|C|00|6|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|1|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x008\x003\x008\x000\x007\x00B\x005\x00-\x002\x00C\x006\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x001\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8766; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID access"; flow:established,to_client; content:"FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FBEB8A05-BEEE-4442-804E-409D6C4515E9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7976; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID access"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7482; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8813; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Database Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"03CB9467-FD9D-42A8-82F9-8615B4223E6E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03CB9467-FD9D-42A8-82F9-8615B4223E6E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4205; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"72770C4F-967D-4517-982B-92D6B9015649"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72770C4F-967D-4517-982B-92D6B9015649/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4162; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|A|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x00A\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8372; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|6|00|0|00|C|00|4|00|B|00|8|00|3|00|-|00|E|00|2|00|1|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|F|00|3|00|E|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|B|00|E|00|8|00|4|00|A|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x006\x000\x00C\x004\x00B\x008\x003\x00-\x00E\x002\x001\x001\x00-\x001\x001\x00D\x002\x00-\x00B\x00F\x003\x00E\x00-\x000\x000\x008\x000\x005\x00F\x00B\x00E\x008\x004\x00A\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8402; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID access"; flow:established,to_client; content:"E0CB08CE-AB3D-4779-9C77-62A439BFE6C3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0CB08CE-AB3D-4779-9C77-62A439BFE6C3/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7896; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8792; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"05E6787D-82D9-4D24-91DD-97FE8D199501"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05E6787D-82D9-4D24-91DD-97FE8D199501/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4197; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Scan Control ActiveX Object Access"; flow:from_server,established; content:"84926CA0-2941-101C-816F-0E6013114B7F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*84926CA0-2941-101C-816F-0E6013114B7F/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4180; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access"; flow:established,to_client; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-032.mspx; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; classtype:attempted-user; sid:15672; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"String.fromCharCode|28|"; fast_pattern; nocase; pcre:"/new\s*ActiveXObject\(\s*String.fromCharCode\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16574; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/new\s*ActiveXObject\(\s*unescape\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16573; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:established,to_client; isdataat:1024; content:"ctrl.InstallBrowserHelperDll"; nocase; content:"General_ServerName"; nocase; content:!">"; within:1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 2 ActiveX clsid access"; flow:established,to_client; content:"F849164D-9863-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MyInfo.dll ActiveX clsid access"; flow:established,to_client; content:"4682C82A-B2FF-11D0-95A8-00A0C92B77A9"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17592; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 1 ActiveX clsid access"; flow:established,to_client; content:"606EF130-9852-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated instantiation of ActiveX object - likely malicious"; flow:established,to_client; content:"new ActiveXObject|28|"; nocase; content:"unescape|28|"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ciodm.dll ActiveX clsid access"; flow:established,to_client; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft msdxm.ocx ActiveX clsid access"; flow:established,to_client; content:"8E71888A-423F-11D2-876E-00A0C9082467"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX ProgID access"; flow:established,to_client; content:"ComponentManager.Installer"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18491; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX clsid access"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18490; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; content:"cdda|3A 2F 2F|"; nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX clsid access"; flow:established,to_client; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19085; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX function call"; flow:established,to_client; content:"LEADRasterTwain.LEADRasterTwain"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19086; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,www.microsoft.com/technet/security/bulletin/MS05-002.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS07-017.mspx; classtype:attempted-user; sid:3079; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; metadata:policy security-ips drop; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB828750; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q293338; reference:url,www.microsoft.com/technet/security/bulletin/MS02-055.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS05-001.mspx; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT iTunes playlist URL overflow attempt"; flow:from_server,established; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; metadata:policy security-ips drop; reference:bugtraq,12238; reference:cve,2005-0043; classtype:attempted-user; sid:3471; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer SMIL file overflow attempt"; flow:to_client,established; content:""; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256; content:!"|22|"; within:256; metadata:policy security-ips drop, service http; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3536; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE javaprxy.dll COM access"; flow:from_server,established; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; metadata:policy security-ips drop; reference:bugtraq,14087; reference:cve,2005-2087; reference:url,www.microsoft.com/technet/security/bulletin/ms05-037.mspx; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17680; classtype:attempted-user; sid:3814; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT msdds clsid attempt"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:bugtraq,14594; reference:cve,2005-1990; reference:cve,2005-2127; reference:url,www.frsirt.com/english/advisories/2005/1450; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4132; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT devenum clsid attempt"; flow:from_server,established; content:"083863F1-70DE-11d0-BD40-00A0C911CE86"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083863F1-70DE-11d0-BD40-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4133; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT blnmgr clsid attempt"; flow:from_server,established; content:"3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4134; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file with comment buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4644; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4643; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Metasploit Windows picture and fax viewer wmf arbitrary code execution attempt"; flow:from_server,established; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy security-ips drop; reference:bugtraq,16074; reference:cve,2005-4560; reference:url,www.microsoft.com/technet/security/bulletin/ms06-001.mspx; classtype:web-application-attack; sid:5319; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player Plugin for Non-IE browsers buffer overflow attempt"; flow:from_server,established; content:"]+?src\s*=\s*(\x22[^\x22]{1024}|\x27[^\x27]{1024}|[^\s]{1024})/i"; metadata:policy security-ips drop, service http; reference:bugtraq,16644; reference:cve,2006-0005; reference:url,www.microsoft.com/technet/security/bulletin/ms06-006.mspx; classtype:attempted-user; sid:5710; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player zero length bitmap heap overflow attempt"; flow:established,to_client; content:"BM|00 00 00 00|"; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD20060214.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5711; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Metafile invalid header size integer overflow"; flow:from_server,established; content:"|D7 CD C6 9A|"; byte_test:2,<,8,25,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,www.microsoft.com/technet/security/bulletin/ms06-004.mspx; classtype:attempted-admin; sid:5713; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB CLIENT Windows Media Player invalid data offset bitmap heap overflow attempt"; flow:established,to_client; file_data; content:"BM"; within:2; byte_test:4,<,14,8,little,relative; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD2006021.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5712; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.hhp.download; content:"["; content:"]"; distance:0; content:"file"; distance:0; nocase; content:"="; distance:0; pcre:"/\x5B(OPTIONS|WINDOWS|MERGE FILES|MAP|ALIAS|TEXT\x20POPUPS|INFOTYPES|SUBSETS)\x5D.*?(Contents|Index|Compiled|Sample List|Full text search stop list)\x20file\s*\x3D[^\r\n]{200}/smi"; metadata:policy security-ips drop; reference:cve,2006-0564; reference:cve,2009-0133; reference:url,users.pandora.be/bratax/advisories/b008.html; reference:url,www.frsirt.com/english/advisories/2006/0446; classtype:attempted-user; sid:5741; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0"; flow:from_server,established; content:"image/"; pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi"; content:"GIF"; distance:0; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6502; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt"; flow:to_client,established; content:"URL"; nocase; content:"mhtml|3A|//"; distance:0; nocase; pcre:"/^\s*URL\s*=\s*mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\r\n]{1253}/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6510; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime udta atom overflow attempt"; flow:to_client,established; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy security-ips drop; reference:bugtraq,17953; reference:cve,2006-1460; classtype:attempted-user; sid:6506; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6503; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy security-ips drop; reference:bugtraq,17074; reference:cve,2006-1249; classtype:attempted-user; sid:6505; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt"; flow:to_client,established; content:"mhtml|3A|//"; nocase; pcre:"/href\s*=\s*(\x22mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x22]{1253}|\x27mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x27]{1253}|mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x09\r\n\x20]{1253})/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6509; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT windows explorer invalid url file overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; within:100; nocase; content:"url="; distance:0; nocase; content:"file|3A|file|3A|file|3A|"; distance:0; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,18838; reference:cve,2006-3351; classtype:denial-of-service; sid:7022; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; byte_test:2,>,8224,0,relative,little; content:"|15 00 12 00|"; within:4; distance:2; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7048; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object ftCmo overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; content:"|15 00 12 00|"; within:4; distance:2; byte_test:2,>,0x1E,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7204; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla javascript navigator object access"; flow:to_client,established; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,19181; reference:cve,2006-3677; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-45.html; classtype:attempted-user; sid:8058; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt"; flow:established,to_client; content:""; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy security-ips drop; reference:bugtraq,14945; reference:cve,2005-2710; classtype:attempted-user; sid:8091; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML fill method overflow attempt"; flow:from_server,established; content:"|3A|fill"; nocase; content:"method"; distance:0; nocase; pcre:"/<\w+\x3afill\s[^>]*method\s*=\s*(\x27[^\x27]{32}|\x22[^\x22]{32}|[^\s>]{32})/smi"; metadata:policy security-ips drop; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,www.microsoft.com/technet/security/bulletin/ms06-055.mspx; classtype:attempted-user; sid:8416; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel colinfo XF record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"}|00 0C 00 00 00|"; content:!"|00|"; within:1; distance:1; metadata:policy security-ips drop; reference:cve,2006-3875; reference:url,www.microsoft.com/technet/security/bulletin/ms06-059.mspx; classtype:attempted-user; sid:8448; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; content:"|90 08 00|3|B1 E5 CF 11 89 F4 00 A0 C9 03|I|CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9641; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; content:"@R|D1 86 1D|1|D0 11 A3 A4 00 A0 C9 03|H|F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9642; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; content:"|01 CD 87 F4|Q|A9 CF 11 8E E6 00 C0 0C| Se"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9643; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime RTSP URI overflow attempt"; flow:from_server,established; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*([\x27|\x22]rtsp\x3A[^\x22\x27\s]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy security-ips drop; reference:bugtraq,21829; reference:cve,2007-0015; reference:url,applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html; classtype:attempted-user; sid:9823; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime HREF Track Detected"; flow:established,to_client; flowbits:isset,http.quicktime; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T $HOME_NET any (msg:"WEB-CLIENT Firefox query interface suspicious function call access attempt"; flow:established,to_client; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-04.html; classtype:attempted-user; sid:10063; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Photoshop PNG file handling stack buffer overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy security-ips drop; reference:bugtraq,23698; reference:cve,2007-2365; classtype:attempted-user; sid:11267; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow"; flow:to_client,established; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel malformed FBI record"; flow:from_server,established; flowbits:isset,http.xls; content:"`|10|"; byte_test:2,>,32767,6,relative; metadata:policy security-ips drop, service http; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,www.microsoft.com/technet/security/bulletin/ms07-023.mspx; classtype:attempted-user; sid:12256; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt"; flow:to_client,established; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; flowbits:isset,http.xlw; reference:cve,2007-3890; reference:url,www.microsoft.com/technet/security/Bulletin/ms07-044.mspx; classtype:attempted-user; sid:12284; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PCRE character class double free overflow attempt"; flow:to_client,established; content:"RegExp("; nocase; content:"[["; distance:0; content:"]]"; within:6; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25002; reference:cve,2007-3944; reference:url,docs.info.apple.com/article.html?artnum=306174; classtype:attempted-user; sid:12286; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer lyrics heap overflow attempt"; flow:established,to_client; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; reference:bugtraq,26214; reference:cve,2007-5080; classtype:attempted-user; sid:12707; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks SMIL wallclock stack overflow attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12743; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12744; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:established,to_client; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13159; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:established,to_client; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13160; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:established,to_client; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13158; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|des"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13319; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|ART"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13316; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cpy"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13320; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|nam"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13317; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 3, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image width overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 5, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13301; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Quicktime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset, quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SYmbolic LinK file download"; flow:to_client,established; flowbits:isset,csv.download; content:"ID|3B|P"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2008-0112; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-014.mspx; classtype:misc-activity; sid:13585; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|"; within:6; distance:900; content:"?|13 1F 00 00 00|"; within:6; distance:640; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|8C 15|"; within:2; distance:40; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"|19 13|"; within:2; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|"; within:6; distance:45; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"?|13 19 00 00 00|"; within:6; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime Obji Atom parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"obji"; nocase; byte_test:4,<,20,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:13920; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start JNLP attribute buffer overflow attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"WEB-CLIENT Adobe Reader and Acrobat util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript/JS"; nocase; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start xml encoding buffer overflow attempt"; flow:established,to_client; content:"]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,28083; reference:cve,2008-1188; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1; classtype:attempted-admin; sid:15081; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST"; flow:to_client,established; flowbits:isset,xspf_file.request; file_data; content:"|3C|identifier|3E|"; pcre:"/\x3cidentifier\x3E[^\x3c]*\x2d\d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ACD Systems ACDSee XPM file format overflow attempt"; flow:to_client,established; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy security-ips drop, service http; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:15236; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Portable Executable binary file transfer"; flow:to_client,established; content:"MZ|90 00|"; byte_jump:4,56,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,exe.download; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:15306; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt"; flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/si"; byte_test:1,&,0x40,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15357; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; metadata:policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt"; flow:established,to_client; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime pict image poly structure memory corruption attempt"; flow:established,to_client; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OLE32 microsoft MSHTA masquerade attempt"; flow:to_client,established; flowbits:isnotset,http.hta; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; metadata:policy security-ips drop; reference:bugtraq,13132; reference:cve,2005-0063; reference:url,www.microsoft.com/technet/security/bulletin/ms05-016.mspx; classtype:attempted-user; sid:3552; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:established,to_client; content:"|01 00 00 00|"; content:" EMF"; within:4; distance:36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|"; within:12; distance:-8; content:"F|00 00 00|"; distance:0; content:"|08|@|00 06|"; within:4; distance:12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nullsoft Winamp pls file player name handling buffer overflow attempt"; flow:to_client,established; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy security-ips drop, service http; reference:bugtraq,16410; reference:cve,2006-0476; classtype:attempted-user; sid:15472; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT asp file upload"; flow:to_server,established; content:".asp"; nocase; flowbits:set,asp.upload; flowbits:noalert; classtype:protocol-command-decode; sid:15471; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime Movie File Clipping Region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"crgn"; byte_jump:2,-6,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"jP "; content:"|FF|O|FF|Q"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF|R"; within:2; byte_test:1,>,16,7,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1859; classtype:attempted-user; sid:15562; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT F-Secure AntiVirus library heap overflow attempt"; flow:to_client,established; flowbits:isset,arj_file.request; content:"|0A|`|EA|"; pcre:"/\x0a\x0d?\x0a\x60\xea(.{36}[^\x00]{256}|.+\x60\xea.{32}[^\x00]{256})/s"; metadata:policy security-ips drop, service http; reference:bugtraq,12515; reference:cve,2005-0350; classtype:attempted-user; sid:15583; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"obj<<"; content:"/BaseFont"; distance:0; content:"endobj"; distance:0; pcre:"/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\x80-\xff\x2f]*[\x80-\xff].*?endobj/s"; metadata:policy security-ips drop, service http; reference:bugtraq,32100; reference:cve,2008-4813; reference:url,vallejo.cc/proyectos/adobereader812.html; classtype:attempted-user; sid:15867; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libxml2 XML file processing long entity name buffer overflow attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,4xm.request; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sophos Anti-Virus zip file handling DoS attempt"; flow:to_client,established; content:"PK|03 04|"; content:"|0C 00|"; within:2; distance:4; content:"-|00 00 00 F9 00 00 00 05 00 FF FF|"; within:12; distance:8; metadata:policy security-ips drop, service http; reference:bugtraq,14270; reference:cve,2005-1530; classtype:attempted-dos; sid:15957; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy security-ips drop, service http; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer nested object tag memory corruption attempt"; flow:to_client,established; content:"|0A| $HOME_NET any (msg:"WEB-CLIENT GNU tar PAX extended headers handling overflow attempt"; flow:to_client,established; content:"GNU.sparse.numblocks="; nocase; pcre:"/GNU\x2esparse\x2enumblocks\s*\x3d\s*(0|[6-9]\d{4})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:16053; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:16050; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox CSS Letter-Spacing overflow attempt"; flow:to_client,established; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-1730; classtype:attempted-user; sid:16044; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields"; flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16295; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields"; flow:to_client,established; content:"|0D 0A 0D 0A|MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,&,0x0004,26,relative,little; byte_jump:2,32,relative,little; pcre:"/^.{2}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16296; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|"; within:4; distance:-24; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; classtype:attempted-user; sid:16311; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; content:"OggS"; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36465; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v3 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,http.oless.v3; flowbits:noalert; classtype:misc-activity; sid:16474; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v4 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,http.oless.v4; flowbits:noalert; classtype:misc-activity; sid:16475; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; content:"wOFF|00 01 00 00|"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"7|3A|comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"8|3A|announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt"; flow:to_client,established; content:"application/x-java-applet"; nocase; content:"-XXaltjvm"; fast_pattern:only; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16585; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; content:""; nocase; content:""; distance:0; nocase; content:" $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; fast_pattern:only; nocase; content:"-XXaltjvm"; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Amaya web editor XML and HTML Parser Buffer overflow attempt"; flow:to_client,established; content:"]{500})/isR"; metadata:service http; reference:bugtraq,33047; reference:cve,2009-0323; classtype:attempted-user; sid:16601; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40725; reference:cve,2010-1885; reference:url,osvdb.org/show/osvdb/65264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-042.mspx; classtype:attempted-user; sid:16665; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Astonsoft Deepburner dbr file name buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|DeepBurner_record"; nocase; content:"|3C|data_cd"; distance:0; nocase; content:"|3C|file"; distance:0; nocase; pcre:"/^\s*[^\x3E]*path\s*=\s*(\x22[^\x22]{272}|\x27[^\x27]{272}|[^\s\x3E]{272})/iR"; metadata:policy security-ips drop, service http; reference:bugtraq,21657; reference:cve,2006-6665; reference:url,osvdb.org/show/osvdb/32356; classtype:attempted-user; sid:16696; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration"; flow:to_client, established; content:"FlateDecode"; content:"DecodeParms"; pcre:"/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16677; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start Splashscreen PNG processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; within:16; pcre:"/^([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/Rs"; metadata:policy security-ips drop; reference:bugtraq,34240; reference:cve,2009-1097; classtype:attempted-user; sid:16716; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]"; within:9; content:"INDEX 1="; distance:0; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF"; within:4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; content:"OrbitalFileV1.0|0D 0A|"; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; within:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|"; distance:0; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CUE file handling stack buffer overflow attempt"; flow:to_client,established; file_data; content:"FILE |22|"; within:6; isdataat:512,relative; content:!"|22|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24140; reference:cve,2007-2888; classtype:attempted-user; sid:16734; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|"; within:12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version"; within:41; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; within:12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset, http.m3u.download; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,xspf_file.request; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt"; flow:to_client,established; flowbits:isset,http.m3u.download; file_data; content:"http|3A 2F 2F|"; within:7; pcre:"/^[^\s]{256}/R"; metadata:service http; reference:cve,2009-2650; reference:url,osvdb.org/show/osvdb/55924; classtype:attempted-user; sid:16739; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT DX Studio Player plug-in command injection attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT Microsoft LNK shortcut download attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2568; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms10-046.mspx; classtype:attempted-user; sid:17042; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml"; nocase; content:"|3C|outline"; distance:0; nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,http.mp4; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,http.mp3; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,http.avi; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt"; flow:to_client,established; flowbits:isset,http.jpeg; content:"|FF C4 02 11 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:service http; reference:bugtraq,12905; reference:cve,2005-0903; classtype:attempted-user; sid:10126; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt"; flow:established, from_server; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,13645; reference:cve,2005-1532; reference:url,secunia.com/advisories/15528/; classtype:attempted-user; sid:17212; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:established, to_client; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:cve,2005-2706; reference:url,secunia.com/advisories/16911/; classtype:attempted-user; sid:17213; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Sheet1"; content:"|8C 00 04 00 56 00 56 00 C1 01 08 00 C1 01 00 00 80 38 01 00|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - little-endian"; flow:to_client,established; file_data; content:"II|2A 00|"; within:4; flowbits:set,http.tiff.little; flowbits:noalert; classtype:misc-activity; sid:17229; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_client,established; flowbits:isset,http.tiff.big; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:service http; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-105.mspx; classtype:attempted-user; sid:17232; rev:5;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - big-endian"; flow:to_client,established; file_data; content:"MM|00 2A|"; within:4; flowbits:set,http.tiff.big; flowbits:noalert; classtype:misc-activity; sid:17230; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_client,established; flowbits:isset,http.tiff.little; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:17231; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt"; flow:established, to_client; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/]*?height[^>]*?>/smi"; pcre:"/]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy security-ips drop, service http; reference:cve,2009-3070; reference:url,secunia.com/advisories/36671/; classtype:attempted-user; sid:17236; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox image dragging exploit attempt"; flow:to_client,established; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*\x2ebat/i"; metadata:policy security-ips drop, service http; reference:cve,2005-0230; classtype:attempted-user; sid:17245; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy security-ips drop, service http; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint malformed data record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|F2 03|"; content:"|AA AA AA 2F 00 C8 0F 0C 00 00 00 30 00 D2 0F 04 00|"; within:17; distance:1; metadata:policy security-ips drop, service http; reference:bugtraq,20322; reference:cve,2006-3876; classtype:attempted-user; sid:17292; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox plugin access control bypass attempt"; flow:to_client,established; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy security-ips drop, service http; reference:bugtraq,12655; reference:cve,2005-0527; classtype:attempted-user; sid:17265; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|"; distance:0; content:"delete|20|tree"; distance:0; content:"delete|20|selection"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office malformed routing slip code execution attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Routing|3A 20|"; content:"|B9 00 9B 05 56 04 3F 05 00 00 41 41 41 41|"; distance:0; metadata:policy security-ips drop, service http; reference:bugtraq,17000; reference:cve,2006-0009; classtype:attempted-user; sid:17284; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Web View script injection attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|1E 00 00 00|"; fast_pattern; content:"javascript"; distance:0; nocase; pcre:"/\x1e\x00\x00\x00.{4}[^\x00]*?\x40[^\x00]*?javascript/i"; metadata:policy security-ips drop, service http; reference:bugtraq,13248; reference:cve,2005-1191; classtype:attempted-user; sid:17271; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint PPT file parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|A4 37 7A 00 81 00 00 00 00 00 82 00 00 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,18993; reference:cve,2006-3656; classtype:attempted-user; sid:17285; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE malformed iframe buffer overflow attempt"; flow:to_client,established; content:"