alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:13;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:10;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:14;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR freak 1.0 runtime detection - icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR globalkiller1.0 runtime detection - notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6331; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR y3k 1.2 runtime detection - icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:from_server,established; flowbits:isset,nova_cgi_cts; content:"|23| Nova CGI Notification Script"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; content:"|0D 0A|ItAdEm Trojan Server|0D 0A|"; nocase; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR trojan-spy.win32.delf.uv runtime detection"; flow:from_server,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; content:"[|00|u|00|p|00|d|00|a|00|t|00|e|00|]"; content:"[|00|p|00|o|00|p|00|w|00|i|00|n|00|]"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949; classtype:trojan-activity; sid:13878; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR td.exe runtime detection - download"; flow:to_server,established; content:"/download.php"; nocase; content:"id="; distance:0; nocase; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16096; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR win32.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; reference:url,www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.jwh; classtype:trojan-activity; sid:16092; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Delf Trojan POST attempt"; flow:to_server,established; content:"tip"; nocase; content:"&cli"; distance:0; nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon initial beacon"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|01 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Night Dragon keepalive message"; flow:established,to_server; content:"|68 57 24 13|"; depth:4; offset:12; content:"|03 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHAT mIRC IRC URL buffer overflow attempt"; flow:to_client,established; content:"src='irc|3A|//"; pcre:"/^\S{999}/R"; reference:bugtraq,8819; reference:cve,2003-1336; classtype:attempted-user; sid:16579; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Microsoft XML parser IIS WebDAV attack attempt"; flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*?){15}/"; reference:bugtraq,11384; reference:cve,2003-0718; classtype:denial-of-service; sid:12043; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"-100"; fast_pattern:only; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:16214; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; file_data; content:"|FF D8 FF|"; content:"|FF ED|"; content:"8BIM"; within:4; distance:16; nocase; pcre:"/\xff\xed.{16}8BIM\x04(\x09|\x0c)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging small offset malformed tiff"; flow:to_client,established; content:"II*|00|"; byte_jump:4,0,relative,little; content:"|02 01 03 00|"; distance:-8; byte_test:4,>,6,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12633; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; flowbits:isset,http.tiff; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12634; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QuickTime STSD atom overflow attempt"; flow:established,to_client; flowbits:isset,http.quicktime; content:"stsd"; byte_test:4,>,0,4,relative,big; byte_test:4,<,12,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26341; reference:cve,2007-3750; classtype:attempted-user; sid:12746; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Skype skype4com URI handler memory corruption attempt"; flow:established,to_client; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Apple QTIF malformed idsc atom"; flow:established,to_client; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0033; classtype:attempted-user; sid:13517; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Possible Adobe PDF ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3008; reference:url,www.microsoft.com/technet/security/bulletin/MS08-053.mspx; classtype:attempted-user; sid:16578; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT BEA WebLogic jsessionid buffer overflow attempt"; flow:to_server,established; content:"JSESSIONID="; nocase; isdataat:500,relative; pcre:"/^Cookie\x3a[^\n]*[\x3b\x3a]\s*JSESSIONID=[^\n\x3b=]{500}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33177; reference:cve,2008-5457; classtype:attempted-admin; sid:15010; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17404; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17406; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt"; flow:to_client,established; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4841; reference:url,www.microsoft.com/technet/security/bulletin/ms09-010.mspx; classtype:attempted-user; sid:17405; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT osCommerce categories.php Arbitrary File Upload And Code Execution"; flow:to_server,established; content:"/admin/categories.php/login.php?cPath=&action=new_product_preview"; fast_pattern:only; reference:bugtraq,44995; classtype:web-application-attack; sid:18678; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Sun Java Applet2ClassLoader Remote Code Execution"; flow:from_server,established; file_data; content:"codebase|3D 22|file|3A 2F 2F|"; nocase; content:"code|3D 22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Visio version number anomaly"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0934; reference:url,www.microsoft.com/technet/security/bulletin/MS07-030.mspx; classtype:misc-activity; sid:11836; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MISC HP DDMI Agent spoofing - command execution"; flow:established,to_server; content:"SOAPMethodName|3A| urn|3A|aiagent|23|executeProcess"; nocase; metadata:policy security-ips drop; reference:bugtraq,35250; reference:cve,2009-1419; classtype:attempted-admin; sid:18397; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,wav_file.request; content:"RIFF"; content:"WAVEfmt"; distance:4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,realmedia_file.request; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,realplayer.playlist; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,aiff_file.request; content:"COMM"; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .rec download attempt"; flow:from_server,established; file_data; content:".rec|00|"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19128; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA realplayer .r1m download attempt"; flow:from_server,established; file_data; content:".r1m"; fast_pattern:only; flowbits:set,http.realplayer; flowbits:noalert; classtype:misc-activity; sid:19129; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Visio file download"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A|"; fast_pattern:only; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; fast_pattern:only; classtype:policy-violation; sid:12391; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; classtype:policy-violation; sid:12425; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Crystal Reports file download"; flow:to_client,established; flowbits:isset, rpt.download; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; fast_pattern:only; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,www.microsoft.com/technet/security/bulletin/ms07-052.mspx; classtype:policy-violation; sid:12456; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AIM Express usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; fast_pattern:only; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Habbo chat client successful login"; flow:to_client,established; content:"document.habboLoggedIn = true"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:15170; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY attempted download of a PDF with embedded Flash"; flow:to_client,established; flowbits:isset,http.pdf; content:"stream"; fast_pattern; nocase; pcre:"/^[\x0A\x0D]{1,2}[CF]WS/iR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:15727; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Adobe PDF alternate file magic obfuscation"; flow:established,to_client; flowbits:isset,http.pdf; content:"%COS-0.2"; depth:1032; content:"PDF-"; distance:0; metadata:policy security-ips drop; reference:url,www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf; classtype:misc-activity; sid:16390; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|E8 00 00 00 00|X|83 E8|=P|8D B8|"; content:"|FF|W"; within:2; distance:3; content:"|8A 06|F|88 07|G|EB EB 90 90 90 B8 01 00 00 00 01|"; within:17; distance:28; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16434; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"`|BE|"; content:"|8D BE|"; within:2; distance:4; pcre:"/^\x57(\x83\xCD\xFF)?\x89\xE5\x8D\x9C\x24.{4}\x31\xC0\x50\x39\xDC\x75\xFB\x46\x46\x53\x68.{4}\x57\x83\xC3\x04\x53\x68.{4}\x56\x83\xC3\x04\x53\x50\xC7\x03.{4}\x90\x90/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16436; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download"; flow:to_client,established; flowbits:isset,http.exe; content:"|8A 06|F|88 07|G|01 DB|u|07 8B 1E 83 EE FC 11 DB|"; pcre:"/^(\x72\xED\xB8\x01.{3}|\x8A\x07\x72\xEB\xB8\x01\x00\x00\x00)\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB[\x73\x77].{3}\x8B\x1E\x83\xEE\xFC/R"; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16435; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF with click-to-launch executable"; flow:established,to_client; flowbits:isset,http.pdf; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; within:100; fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|com|swf)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY base64-encoded uri data object found"; flow:to_client,established; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of Windows .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,http.lnk; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-049.mspx; classtype:attempted-user; sid:17442; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JS string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s|>|<]/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:17668; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY FlashPix file download request"; flow:to_server, established; content:".fpx"; nocase; flowbits:set,http.fpx; flowbits:noalert; classtype:policy-violation; sid:17739; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Excel with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.xls; content:"ShockwaveFlashObjects"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18545; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Word with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.doc; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:18546; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Microsoft Powerpoint with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,http.ppt; content:"|53 00 68 00 6F 00 63 00 6B 00 77 00 61 00 76 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 4F 00 62 00 6A 00 65 00 63 00 74 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:18547; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY PDF file with embedded PDF object"; flow:established,to_client; file_data; content:"EmbeddedFile"; distance:0; nocase; content:"3C7064663E"; distance:0; nocase; content:"3C2F7064663E"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY RTF file with embedded OLE object"; flow:established,to_client; flowbits:isset,http.rtf; file_data; content:"d0cf11e"; distance:0; nocase; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18685; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with embedded JavaScript - JavaScript string"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/JavaScript"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fJavaScript/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18681; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of a PDF with OpenAction object"; flow:established,to_client; content:"obj"; nocase; content:"<<"; within:4; content:"/OpenAction"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fOpenAction/smi"; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18682; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Excel file with embedded PDF object"; flow:established,to_client; flowbits:isset,http.xls; file_data; content:"startxref"; distance:0; nocase; content:"%%EOF"; distance:0; nocase; isdataat:!3,relative; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18683; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Apple Mach-O executable download attempt"; flow:established,to_client; file_data; content:"|CA FE BA BE|"; within:4; byte_test:4, <, 20, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html; classtype:policy-violation; sid:18983; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c]u[0-9a-f]{4}(\x22\s*\x2B\s*\x22)?[\x25\x5c]u[0-9a-f]{4}/smi"; classtype:shellcode-detect; sid:10504; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; sid:10505; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; classtype:shellcode-detect; sid:12630; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var shellcode"; flow:to_client,established; content:" shellcode"; fast_pattern:only; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17392; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE JavaScript var heapspray"; flow:to_client,established; content:" heapspray"; fast_pattern:only; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; sid:17393; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 1E 02 00 00 EB 0A 11 06 2E 02 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17497; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Powerpoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 36 00 00 00 0F 00 11 05 2E 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17496; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel Column record handling memory corruption attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 00 1C 00 0F 00 02 00 FF FF 00 00 01 00 03 00 00|"; fast_pattern:only; reference:bugtraq,21925; reference:cve,2007-0030; classtype:attempted-user; sid:17543; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt"; flow:established,to_client; content:"VulObject = |22|IER|22| + |22|PCtl.I|22| + |22|ERP|22| + |22|Ctl.1|22 3B|"; nocase; metadata:policy security-ips drop; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,26586; reference:cve,2006-6847; reference:cve,2007-5601; classtype:attempted-user; sid:12775; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt"; flow:established,to_client; content:"storm.setAttribute|28 22|classid|22|,|22|clsid|3A|6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25601; reference:cve,2007-4816; classtype:attempted-user; sid:12771; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt"; flow:established,to_client; content:"00C04FC29E36|7C|983A|7C|11D0|7C|65A3|7C 7C|BD96C556|7C 7C|clsid"; nocase; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:12770; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt"; flow:established,to_client; content:""; nocase; metadata:policy security-ips drop; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12773; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt"; flow:established,to_client; content:"pps.setAttribute|28 22|classid|22|,|22|clsid|3A|5EC7C511-CD0F-42E6-830C-1BD9882F3458|22 29|"; nocase; metadata:policy security-ips drop; reference:bugtraq,25502; reference:cve,2007-4748; classtype:attempted-user; sid:12772; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt"; flow:established,to_client; content:" $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Metasploit Framework xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"'|29 3B|echo|28|'"; distance:0; content:"'|29 3B| passthru|28|chr|28|"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13816; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS alternate xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"AND ascii|28|substring|28|pass,1,1|29 29 0A|/**/BETWEEN/**/52/**/AND/**/58|29|/*"; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13818; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:""; distance:0; content:""; distance:0; content:"',''|29 29 3B|echo '_begin_|0A|'|3B|echo"; distance:0; metadata:policy security-ips drop; reference:cve,2005-1921; classtype:attempted-admin; sid:13817; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS isComponentInstalled Metasploit attack attempt"; flow:established,to_client; content:"isComponentInstalled|28|boom"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Visio Object Header Buffer Overflow attempt"; flow:to_client,established; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox animated PNG processing integer overflow"; flow:established,to_client; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy security-ips drop; reference:cve,2008-4064; classtype:attempted-user; sid:15191; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; content:""; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; within:64; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:established,to_client; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15678; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding"; flow:established,to_client; content:".|00 00 00|c|00 00 00|l|00 00 00|a|00 00 00|s|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00|=|00 00 00|'|00 00 00|c|00 00 00|l|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00 3A 00 00 00|0|00 00 00|9|00 00 00|5|00 00 00|5|00 00 00|A|00 00 00|C|00 00 00|6|00 00 00|2|00 00 00|-|00 00 00|B|00 00 00|F|00 00 00|2|00 00 00|E|00 00 00|-|00 00 00|4|00 00 00|C|00 00 00|B|00 00 00|A|00 00 00|-|00 00 00|A|00 00 00|2|00 00 00|B|00 00 00|9|00 00 00|-|00 00 00|A|00 00 00|6|00 00 00|3|00 00 00|F|00 00 00|7|00 00 00|7|00 00 00|2|00 00 00|D|00 00 00|4|00 00 00|6|00 00 00|C|00 00 00|F|00 00 00|'|00 00 00 3B|"; nocase; metadata:policy security-ips drop; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms09-032.mspx; classtype:attempted-user; sid:15679; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; content:"Math.ceil|28|Math.log|28|"; nocase; content:"Math.LN2|29|"; distance:0; nocase; pcre:"/\x29\s*\x2f\s*Math.LN2\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Internet Explorer popup window object tag code execution attempt"; flow:to_client,established; content:"window.createPopup|28 29|"; content:"oPopup.document.body.innerHTML"; distance:0; content:""; distance:0; metadata:policy security-ips drop; reference:cve,2003-0838; classtype:attempted-user; sid:15880; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt"; flow:to_client,established; content:"-lh0-"; content:"|02 C9 C5|M|88 00 02|DDDD"; within:11; distance:13; metadata:policy security-ips drop; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:15950; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; flowbits:isset,http.swf; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS zlib Denial of Service"; flow:to_client,established; content:"x|9C 85 C1 B9 11 80|0|10 04|A|EC A9 9A A0 C4|+|1E 91 7F FE D8 EB|p|DD AD FD 93 B9| KA|D6 82|l|05 D9 0B|r|14 A4|'9|93 5C|I|EE 24|O|92 91 E4|M2}yw[|86|"; metadata:policy security-ips drop; reference:bugtraq,11051; reference:cve,2004-0797; classtype:attempted-user; sid:15981; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS PHP strip_tags bypass vulnerability exploit attempt"; flow:to_server,established; content:"/strip/getPoc.php?note=%3Cs%00cript%3Ealert%28%27Oops!%27%29%3B%3C%2Fs%00cript%3E"; metadata:policy security-ips drop; reference:bugtraq,10724; reference:cve,2004-0595; classtype:attempted-user; sid:15977; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS F-Secure Anti-Virus LHA processing buffer overflow attempt"; flow:to_client,established; content:"!|C3|-lh0-|18 00 00 00 05 00 00 00 FA BB|m0 |01 08|testfile|F8 1B|U|05 00|P|B4 81 94 01 01|UUUU"; metadata:policy security-ips drop; reference:bugtraq,10243; reference:cve,2004-0234; classtype:attempted-user; sid:15966; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Exchange OWA XSS and spoofing attempt"; flow:to_client,established; content:"exchange/calendar/pick.asp?view=ppp%22>|22|>click this"; metadata:policy security-ips drop; reference:bugtraq,10902; reference:cve,2004-0203; classtype:misc-attack; sid:15964; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Microsoft ASP.NET canonicalization exploit attempt"; flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:policy security-ips drop; reference:bugtraq,11342; reference:cve,2004-0847; classtype:attempted-user; sid:15985; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_client,established; content:"|00 9A 00 00 00 FF 80|P|00 00 00 00 00 14 00 14 00 02|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:16001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt"; flow:to_client,established; flowbits:isset,http.pub; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22702; reference:cve,2007-1754; classtype:attempted-user; sid:16051; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit"; flow:established,to_client; content:"buf = buf + unescape|28 22|%u"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; metadata:policy security-ips drop; reference:bugtraq,27578; reference:bugtraq,27579; reference:cve,2008-0624; reference:cve,2008-0625; classtype:attempted-user; sid:16068; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor AV gateway virus detection bypass attempt"; flow:to_client,established; content:""; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,12269; reference:cve,2005-0218; classtype:misc-attack; sid:16087; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; content:"SPP_P|1D CD|P|3B D5 AF AF AF AF 19|6|A5|U4cz{|B1 04 1D E7 EF|jiI|8A|T|D1|s|FD 0C F7|"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:16089; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt"; flow:established,to_client; content:"white-space|3A| pre"; content:""; distance:0; fast_pattern; reference:cve,2010-3765; classtype:attempted-user; sid:19077; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|"; within:16; distance:320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|"; within:16; distance:320; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|"; distance:0; content:"window|2E|getSelection|28 29 2E|removeAllRanges"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|"; within:48; distance:112; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 DA EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:50; metadata:policy security-ips drop; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18989; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Firefox appendChild use-after-free attempt"; flow:established,to_client; content:"var cobj=document.createElement(str)|3B 0A 20 20 20|cobj.id=|22|testcase|22 3B 0A 20 20 20|document.body.appendChild(cobj)|3B|"; content:"for(p in obj){|0A 20 20 20 20 20 20|if(typeof(obj[p])==|22|string|22|){"; distance:0; content:"document.body.removeChild(cobj)|3B|"; distance:0; reference:cve,2010-3765; classtype:attempted-user; sid:19076; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|lowercase|3B|"; fast_pattern:only; content:"document|2E|getElementById|28 22|result|22 29 2E|innerHTML|20 3D 20 22|PASS|22 3B|"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19096; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D stucture heap overflow"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|80 FF FF FF 00|"; within:5; distance:36; content:"|0C 0C 0C 0C FF 00 00 00|"; within:8; distance:25; reference:cve,2009-4002; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19112; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader malformed U3D integer overflow"; flow:to_client,established; flowbits:isset,http.pdf; content:"/FlateDecode/Length 96729/Subtype/U3D/Type/3D/VA"; content:"/TYPE/3DView/XN(DefaultView)>>]>>stream|0D 0A 78 DA AC DD 05|"; within:46; distance:114; reference:cve,2009-3959; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:19117; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code execution attempt"; flow:established,to_client; content:"object.innerHTML = |22 22 3B|"; content:"object.value|3B|"; within:30; content:"|3C|select id|3D 22|object|22 3E 3C|option|3E|"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19097; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 45 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|45 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19114; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client, established; content:"BellGothicStd-Bla|00 01 02 80|"; reference:cve,2010-3957; reference:url,www.microsoft.com/technet/security/bulletin/ms10-091.mspx; classtype:attempted-user; sid:19119; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 81 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|81 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19113; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 89 overflow attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|89 FF FF FF 00 FF 00|"; within:7; distance:36; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19115; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:established,to_client; content:"text-transform|3A 20|capitalize|3B|"; fast_pattern:only; content:"document.body.addTextNode"; metadata:policy security-ips drop; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19095; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe Reader script injection vulnerability"; flow:to_client,established; flowbits:isset,http.pdf; content:"(j)"; content:"(a)"; within:10; distance:5; content:"(v)"; within:10; distance:5; fast_pattern; content:"(a)"; within:10; distance:5; content:"(s)"; within:10; distance:5; content:"(c)"; within:10; distance:5; content:"(r)"; within:10; distance:5; content:"(i)"; within:10; distance:5; content:"(p)"; within:10; distance:5; content:"(t)"; within:10; distance:5; reference:cve,2009-3956; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:19118; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Apple Safari Webkit ContentEditable code exeuction attempt"; flow:established,to_client; content:"target.innerHTML = |22 3C|option|3E|PASS|3C 2F|option|3E 22 3B|"; content:"getElementById|28 22|result|22 29|.innerHTML = target.value"; fast_pattern:only; metadata:policy security-ips drop; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19098; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; distance:0; metadata:policy security-ips drop; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Adobe flash player newfunction memory corruption attempt"; flow:from_server,established; file_data; content:"|D2 60 3B 40 C1 03 AB 12 E5 00 00 60 E8 03 24 00|"; content:"|46 FF 04 02 75 63 07 60 97 01 24 02 A1 62 04 0E|"; within:16; distance:16; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:19145; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|EB 06 90 90 AD 57 00 30 81 C4 24 16 00 00 C3 41|"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19132; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-3945; reference:url,www.microsoft.com/technet/security/bulletin/MS10-105.mspx; classtype:attempted-user; sid:19156; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,www.microsoft.com/technet/security/bulletin/MS10-033.mspx; classtype:attempted-user; sid:19146; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,www.microsoft.com/technet/security/bulletin/MS10-080.mspx; classtype:attempted-user; sid:19134; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office Excel PtgExtraArray parsing attempt"; flow:established,to_client; flowbits:isset,http.xls; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,http.asx; file_data; content:"|FF FA 92 60 41 41 41 41|"; within:8; metadata:policy security-ips drop; reference:bugtraq,42298; reference:cve,2010-1882; reference:url,www.microsoft.com/technet/security/bulletin/MS10-052.mspx; classtype:attempted-user; sid:19144; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,www.microsoft.com/technet/security/bulletin/MS10-017.mspx; classtype:attempted-user; sid:19133; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.xls; content:"|5A 03 00 00 00 15|excelrtd.rtdfunctions"; fast_pattern:only; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19131; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT shop at home select installation in progress - clsid detected"; flow:to_client,established; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:policy security-ips drop; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler smasoft webdownloader runtime detection"; flow:to_server,established; content:"User-Agent|3A| My Agent"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/w/webdownloader/Webdownloader1.2.html; classtype:misc-activity; sid:5913; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT mydailyhoroscope update or installation in progress"; flow:to_client,established; content:"07637823-C894-4A52-B3F9-5D77FD8E36A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07637823-C894-4A52-B3F9-5D77FD8E36A/si"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5799; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker surfsidekick runtime detection - post request"; flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5844; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies SpywareStrike Runtime Detection"; flow:to_server,established; content:"User-Agent|3A| SpywareStrike"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000248.html; reference:url,www.spywareguide.com/product_show.php?id=2438; classtype:misc-activity; sid:6186; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler navexcel search toolbar runtime detection - activate/update"; flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6278; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware lop runtime detection - collect info request 1"; flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; pcre:"/\x2Ftba\x2F(cm)|(cu)\?/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6238; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Adware searchsquire installtime/auto-update"; flow:to_client,established; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6256; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware comedy planet runtime detection - collect user information"; flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:policy security-ips drop; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7595; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware enbrowser snackman runtime detection"; flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; reference:url,www.popupsentry.com/S/SNACKMAN.EXE-4411.html; reference:url,www.spywareguide.com/spydet_2334_enbrowser.html; classtype:misc-activity; sid:12224; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string"; flow:to_server,established; content:"User-Agent|3A| SpamBlockerUtility 4.8.4"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.hotbar.html; reference:url,www.spywareguide.com/product_show.php?id=481; classtype:misc-activity; sid:12371; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker soso toolbar runtime detection - get weather information"; flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12486; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler pseudorat 0.1b runtime detection"; flow:to_server,established; content:"User-Agent|3A| ZOMBIES_HTTP_GET"; fast_pattern:only; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PseudoRAT&threatid=10053; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079890; classtype:misc-activity; sid:12482; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection"; flow:established,to_server; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:12679; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler mm.exe runtime detection"; flow:from_server,established; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; reference:url,www.auditmypc.com/process/mm.asp; reference:url,www.fbmsoftware.com/spyware-net/process/mm_exe/1960/; classtype:misc-activity; sid:13813; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rcse 4.4 runtime detection - hijack ie browser"; flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rabio&threatid=169974; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:13849; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update"; flow:from_server,established; flowbits:isset,AdWare_Ejik.ec_Detection; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13939; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home"; flow:from_server,established; flowbits:isset,Dropper_Agent.rqg_Detection; content:"|7C|http|3A|//xxx.ads555.com/rj/cc1.exe|7C|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.Win32.Agent.rqg&threatid=289587; reference:url,virscan.org/report/2b00cbb9a861bd3dd79ef19a75de92f8.html; classtype:misc-activity; sid:13936; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Keylogger emptybase j runtime detection"; flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453117299; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html; classtype:successful-recon-limited; sid:14065; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker yoursitebar runtime detection"; flow:to_server,established; content:"User-Agent|3A| istsvc"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=974; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093992; classtype:misc-activity; sid:6281; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware try2find detection"; flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1086; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392; classtype:successful-recon-limited; sid:6189; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware browserpal runtime detection - post user info to server"; flow:to_server,established; content:"User-Agent|3A| Browser Pal"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5954; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer stripplayer runtime detection"; flow:to_server,established; content:"User-Agent|3A| Strip-Player"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=455; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548; classtype:misc-activity; sid:5824; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker smart search runtime detection - get settings"; flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6200; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware windupdates-mediagateway runtime detection - post data"; flow:to_server,established; content:"User-Agent|3A| ZC-Bridge"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094794; classtype:successful-recon-limited; sid:5988; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware forbes runtime detection"; flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=556; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448; classtype:misc-activity; sid:5773; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker painter runtime detection - ping 'alive' signal"; flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5918; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker marketscore runtime detection"; flow:to_server,established; content:"User-Agent|3A| OSSProxy"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=488; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43974; classtype:misc-activity; sid:5760; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopathomeselect runtime detection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware commonname runtime detection"; flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=429; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618; classtype:misc-activity; sid:6212; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker topfive searchassistant detection - post user information to server"; flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5977; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware free access bar runtime detection 1"; flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2493; classtype:misc-activity; sid:5944; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker spediabar user-agent string detected"; flow:to_server,established; content:"User-Agent|3A| Spedia"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6341; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler grokster runtime detection"; flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.securemost.com/articles/rm_grokster.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425; classtype:misc-activity; sid:5776; rev:7;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing"; flow:from_server,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7835; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware roogoo runtime detection - surfing monitor"; flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8545; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware onetoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Adw.OneToolbar&threatid=43856; reference:url,www.spywareguide.com/product_show.php?id=2746; classtype:successful-recon-limited; sid:6191; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcastpc runtime detection - get config"; flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5989; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT RSPlug Trojan file download attempt"; flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"<|22|!0 $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server"; flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16116; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trojan.Win32.QQFish contact to server attempt"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:established,to_client; content:"WebViewFolderIcon.WebViewFolderIcon.1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:8419; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Trident HTMLEditor ActiveX Object Access"; flow:from_server,established; content:"3050F4F5-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4F5-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4893; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Mixing Renderer 9 ActiveX Object Access"; flow:from_server,established; content:"51B4ABF3-748F-4E3B-A276-C828330E926A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*51B4ABF3-748F-4E3B-A276-C828330E926A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4902; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|C|00|B|00|1|00|F|00|E|00|3|00|-|00|B|00|0|00|5|00|E|00|-|00|4|00|F|00|0|00|E|00|-|00|8|00|1|00|8|00|F|00|-|00|C|00|8|00|3|00|E|00|D|00|5|00|A|00|0|00|3|00|3|00|2|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x00C\x00B\x001\x00F\x00E\x003\x00-\x00B\x000\x005\x00E\x00-\x004\x00F\x000\x00E\x00-\x008\x001\x008\x00F\x00-\x00C\x008\x003\x00E\x00D\x005\x00A\x000\x003\x003\x002\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7479; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8789; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStFrObject Class ActiveX Object Access"; flow:from_server,established; content:"B3E0E785-BD78-4366-9560-B7DABE2723BE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B3E0E785-BD78-4366-9560-B7DABE2723BE/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4209; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call"; flow:established,to_client; content:"TLI.TLIApplication"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12270; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Certificate Enrollment ActiveX Object Access"; flow:from_server,established; content:"43F8F289-7A20-11D0-8F06-00C04FC295E1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*43F8F289-7A20-11D0-8F06-00C04FC295E1/si"; metadata:policy security-ips drop; reference:bugtraq,5593; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4184; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID access"; flow:established,to_client; content:"B6FFC24C-7E13-11D0-9B47-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FFC24C-7E13-11D0-9B47-00C04FC2F51D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7950; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Index Server Scope Administration ActiveX Object Access"; flow:from_server,established; content:"3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4200; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic WebClass ActiveX Object Access"; flow:from_server,established; content:"6B7F1602-D44C-11D0-A7D9-AE3D17000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B7F1602-D44C-11D0-A7D9-AE3D17000000/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4218; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|B|00|3|00|3|00|9|00|A|00|4|00|6|00|-|00|7|00|C|00|4|00|9|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|B|00|F|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|7|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00B\x003\x003\x009\x00A\x004\x006\x00-\x007\x00C\x004\x009\x00-\x001\x001\x00d\x002\x00-\x009\x00B\x00F\x003\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x007\x008\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8754; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Route ActiveX Object Access"; flow:from_server,established; content:"4CECCEB2-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB2-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6008; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID access"; flow:established,to_client; content:"EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EEED4C20-7F1B-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8011; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|4|00|7|00|7|00|1|00|6|00|9|00|-|00|4|00|7|00|5|00|2|00|-|00|4|00|1|00|D|00|C|00|-|00|A|00|B|00|0|00|F|00|-|00|C|00|5|00|0|00|E|00|B|00|A|00|7|00|5|00|6|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x004\x007\x007\x001\x006\x009\x00-\x004\x007\x005\x002\x00-\x004\x001\x00D\x00C\x00-\x00A\x00B\x000\x00F\x00-\x00C\x005\x000\x00E\x00B\x00A\x007\x005\x006\x004\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7891; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID access"; flow:established,to_client; content:"D670D0B3-05AB-4115-9F87-D983EF1AC747"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D670D0B3-05AB-4115-9F87-D983EF1AC747/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7894; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID access"; flow:established,to_client; content:"4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4EFE2452-168A-11D1-BC76-00C04FB9453B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8029; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID access"; flow:established,to_client; content:"9CDE7341-3C20-11D0-A330-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CDE7341-3C20-11D0-A330-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8801; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8793; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|2|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x002\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7957; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|B|00|9|00|B|00|C|00|E|00|D|00|D|00|-|00|E|00|C|00|7|00|E|00|-|00|4|00|7|00|E|00|1|00|-|00|9|00|3|00|2|00|2|00|-|00|D|00|4|00|A|00|2|00|1|00|0|00|6|00|1|00|7|00|1|00|1|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00B\x009\x00B\x00C\x00E\x00D\x00D\x00-\x00E\x00C\x007\x00E\x00-\x004\x007\x00E\x001\x00-\x009\x003\x002\x002\x00-\x00D\x004\x00A\x002\x001\x000\x006\x001\x007\x001\x001\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8364; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|3|00|5|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x003\x005\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7869; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|0|00|B|00|4|00|7|00|9|00|1|00|F|00|-|00|4|00|7|00|3|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x000\x00B\x004\x007\x009\x001\x00F\x00-\x004\x007\x003\x001\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8745; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID access"; flow:established,to_client; content:"ADC6CB86-424C-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADC6CB86-424C-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7910; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX Object Access"; flow:from_server,established; content:"0002E500-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E500-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4176; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|2|00|B|00|F|00|2|00|5|00|D|00|5|00|-|00|8|00|C|00|1|00|7|00|-|00|4|00|B|00|2|00|3|00|-|00|B|00|C|00|8|00|0|00|-|00|D|00|3|00|4|00|8|00|8|00|A|00|B|00|D|00|D|00|C|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x002\x00B\x00F\x002\x005\x00D\x005\x00-\x008\x00C\x001\x007\x00-\x004\x00B\x002\x003\x00-\x00B\x00C\x008\x000\x00-\x00D\x003\x004\x008\x008\x00A\x00B\x00D\x00D\x00C\x006\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8376; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID access"; flow:established,to_client; content:"E31E87C4-86EA-4940-9B8A-5BD5D179A737"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E31E87C4-86EA-4940-9B8A-5BD5D179A737/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7922; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID access"; flow:established,to_client; content:"1B00725B-C455-4DE6-BFB6-AD540AD427CD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B00725B-C455-4DE6-BFB6-AD540AD427CD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7880; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8781; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"C3DFA998-A486-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3DFA998-A486-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4191; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID access"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6684; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID access"; flow:established,to_client; content:"9be8d7b2-329c-442a-a4ac-aba9d7572602"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9be8d7b2-329c-442a-a4ac-aba9d7572602/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7864; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|5|00|4|00|4|00|C|00|2|00|4|00|-|00|F|00|D|00|0|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|6|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|4|00|B|00|5|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x005\x004\x004\x00C\x002\x004\x00-\x00F\x00D\x000\x00B\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x006\x003\x00-\x000\x000\x00A\x00A\x000\x000\x004\x004\x00B\x005\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7434; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|A|00|4|00|A|00|9|00|9|00|C|00|-|00|8|00|C|00|3|00|D|00|-|00|4|00|9|00|9|00|E|00|-|00|A|00|3|00|8|00|6|00|-|00|E|00|0|00|7|00|4|00|3|00|D|00|F|00|F|00|8|00|F|00|B|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00A\x004\x00A\x009\x009\x00C\x00-\x008\x00C\x003\x00D\x00-\x004\x009\x009\x00E\x00-\x00A\x003\x008\x006\x00-\x00E\x000\x007\x004\x003\x00D\x00F\x00F\x008\x00F\x00B\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8736; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID access"; flow:established,to_client; content:"860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860D28D0-8BF4-11CE-BE59-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8007; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB43-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8045; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID access"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7484; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"1fb464c8-09bb-4017-a2f5-eb742f04392f"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1fb464c8-09bb-4017-a2f5-eb742f04392f/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4185; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID access"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7494; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|B|00|3|00|A|00|E|00|C|00|B|00|-|00|D|00|F|00|D|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|D|00|A|00|A|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|8|00|5|00|C|00|F|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00B\x003\x00A\x00E\x00C\x00B\x00-\x00D\x00F\x00D\x006\x00-\x001\x001\x00D\x001\x00-\x009\x00D\x00A\x00A\x00-\x000\x000\x008\x000\x005\x00F\x008\x005\x00C\x00F\x00E\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7996; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MSVTDGridCtrl7 ActiveX Object Access"; flow:from_server,established; content:"6F9F3481-84DD-4B14-B09C-6B4288ECCDE8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6F9F3481-84DD-4B14-B09C-6B4288ECCDE8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4234; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Trouble Shooter ActiveX Object Access"; flow:from_server,established; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4B106874-DD36-11D0-8B44-00A024DD9EFF/si"; metadata:policy security-ips drop; reference:bugtraq,8833; reference:cve,2003-0662; reference:url,www.microsoft.com/technet/security/bulletin/MS03-042.mspx; classtype:attempted-user; sid:4145; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID access"; flow:established,to_client; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7983; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|4|00|7|00|8|00|F|00|6|00|4|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x004\x007\x008\x00F\x006\x004\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8038; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray ActiveX Object Access"; flow:from_server,established; content:"35CEC8A3-2BE6-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*35CEC8A3-2BE6-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4231; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID access"; flow:established,to_client; content:"D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D99F7670-7F1A-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8009; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8722; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|F|00|9|00|D|00|1|00|0|00|-|00|3|00|B|00|5|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|3|00|E|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x005\x00D\x00F\x009\x00D\x001\x000\x00-\x003\x00B\x005\x002\x00-\x001\x001\x00D\x001\x00-\x008\x003\x00E\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00D\x00C\x008\x004\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7986; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A761-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7991; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|1|00|0|00|8|00|7|00|2|00|7|00|0|00|-|00|D|00|3|00|4|00|8|00|-|00|4|00|3|00|2|00|C|00|-|00|8|00|9|00|9|00|E|00|-|00|2|00|D|00|2|00|F|00|3|00|8|00|F|00|F|00|2|00|9|00|A|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x001\x000\x008\x007\x002\x007\x000\x00-\x00D\x003\x004\x008\x00-\x004\x003\x002\x00C\x00-\x008\x009\x009\x00E\x00-\x002\x00D\x002\x00F\x003\x008\x00F\x00F\x002\x009\x00A\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7489; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8826; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|4|00|2|00|D|00|3|00|8|00|5|00|A|00|-|00|D|00|5|00|B|00|F|00|-|00|4|00|2|00|7|00|D|00|-|00|9|00|A|00|F|00|2|00|-|00|8|00|8|00|2|00|5|00|8|00|F|00|B|00|7|00|3|00|E|00|A|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x004\x002\x00D\x003\x008\x005\x00A\x00-\x00D\x005\x00B\x00F\x00-\x004\x002\x007\x00D\x00-\x009\x00A\x00F\x002\x00-\x008\x008\x002\x005\x008\x00F\x00B\x007\x003\x00E\x00A\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8400; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID access"; flow:established,to_client; content:"7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7849596A-48EA-486E-8937-A2A3009F31A9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7970; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player Active Movie ActiveX Object Access"; flow:from_server,established; content:"05589FA1-C356-11CE-BF01-00AA0055595A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05589FA1-C356-11CE-BF01-00AA0055595A/si"; metadata:policy security-ips drop; reference:bugtraq,1221; reference:cve,2000-0400; classtype:attempted-user; sid:4158; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Marquee Control ActiveX Object Access"; flow:from_server,established; content:"250770F3-6AF2-11CF-A915-008029E31FCD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*250770F3-6AF2-11CF-A915-008029E31FCD/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4203; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|4|00|5|00|B|00|0|00|B|00|0|00|-|00|7|00|2|00|D|00|8|00|-|00|4|00|6|00|5|00|2|00|-|00|A|00|E|00|5|00|F|00|-|00|5|00|E|00|3|00|E|00|2|00|6|00|6|00|B|00|E|00|7|00|E|00|D|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x004\x005\x00B\x000\x00B\x000\x00-\x007\x002\x00D\x008\x00-\x004\x006\x005\x002\x00-\x00A\x00E\x005\x00F\x00-\x005\x00E\x003\x00E\x002\x006\x006\x00B\x00E\x007\x00E\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7453; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Start Menu ActiveX Object Access"; flow:from_server,established; content:"4622AD11-FF23-11D0-8D34-00A0C90F2719"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4622AD11-FF23-11D0-8D34-00A0C90F2719/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4228; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID access"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7446; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ProxyStub Dispatch ActiveX Object Access"; flow:from_server,established; content:"00020420-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020420-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4221; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID access"; flow:established,to_client; content:"65BCBEE4-7728-41A0-97BE-14E1CAE36AAE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*65BCBEE4-7728-41A0-97BE-14E1CAE36AAE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8397; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID access"; flow:established,to_client; content:"A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7898; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8810; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Property Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710C-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710C-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4909; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|6|00|2|00|7|00|9|00|7|00|E|00|-|00|1|00|2|00|4|00|9|00|-|00|4|00|5|00|9|00|6|00|-|00|9|00|F|00|F|00|7|00|-|00|A|00|C|00|6|00|D|00|8|00|5|00|1|00|A|00|5|00|4|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x006\x002\x007\x009\x007\x00E\x00-\x001\x002\x004\x009\x00-\x004\x005\x009\x006\x00-\x009\x00F\x00F\x007\x00-\x00A\x00C\x006\x00D\x008\x005\x001\x00A\x005\x004\x002\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7887; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID access"; flow:established,to_client; content:"3A04D93B-1EDD-4F3F-A375-A03EC19572C4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A04D93B-1EDD-4F3F-A375-A03EC19572C4/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7946; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|5|00|B|00|7|00|F|00|6|00|3|00|-|00|F|00|0|00|6|00|F|00|-|00|4|00|3|00|3|00|1|00|-|00|8|00|A|00|2|00|6|00|-|00|3|00|3|00|9|00|E|00|0|00|3|00|C|00|0|00|A|00|E|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x005\x00B\x007\x00F\x006\x003\x00-\x00F\x000\x006\x00F\x00-\x004\x003\x003\x001\x00-\x008\x00A\x002\x006\x00-\x003\x003\x009\x00E\x000\x003\x00C\x000\x00A\x00E\x003\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8370; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID access"; flow:established,to_client; content:"2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2A6EB050-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8013; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID access"; flow:established,to_client; content:"CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB42-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8043; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8778; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID access"; flow:established,to_client; content:"E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E846F0A0-D367-11D1-8286-00A0C9231C29/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7993; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISupportErrorInfo Interface ActiveX Object Access"; flow:from_server,established; content:"DF0B3D60-548F-101B-8E65-08002B2BD119"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DF0B3D60-548F-101B-8E65-08002B2BD119/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4899; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID access"; flow:established,to_client; content:"68A499C7-F9B0-11D2-93D4-00A0C981B035"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68A499C7-F9B0-11D2-93D4-00A0C981B035/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7882; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MS Audio Decompressor Control Property Page ActiveX Object Access"; flow:from_server,established; content:"8FE7E181-BB96-11D2-A1CB-00609778EA66"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8FE7E181-BB96-11D2-A1CB-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4207; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|D|00|C|00|C|00|4|00|8|00|7|00|-|00|A|00|A|00|4|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|F|00|4|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|1|00|1|00|C|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x00D\x00C\x00C\x004\x008\x007\x00-\x00A\x00A\x004\x008\x00-\x001\x001\x00D\x001\x00-\x008\x00F\x004\x00F\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x006\x001\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8002; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8828; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8817; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8808; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8838; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|7|00|B|00|6|00|C|00|0|00|4|00|A|00|-|00|C|00|B|00|B|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|B|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|4|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x007\x00B\x006\x00C\x000\x004\x00A\x00-\x00C\x00B\x00B\x005\x00-\x001\x001\x00D\x000\x00-\x00B\x00B\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x004\x001\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8022; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Interlacer ActiveX CLSID access"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7478; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|E|00|C|00|F|00|5|00|D|00|2|00|E|00|-|00|7|00|A|00|1|00|8|00|-|00|4|00|D|00|D|00|2|00|-|00|B|00|D|00|C|00|D|00|-|00|2|00|9|00|B|00|6|00|F|00|6|00|1|00|5|00|B|00|4|00|4|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00E\x00C\x00F\x005\x00D\x002\x00E\x00-\x007\x00A\x001\x008\x00-\x004\x00D\x00D\x002\x00-\x00B\x00D\x00C\x00D\x00-\x002\x009\x00B\x006\x00F\x006\x001\x005\x00B\x004\x004\x008\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7469; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Files Viewer ActiveX Object Access"; flow:from_server,established; content:"970C7E08-05A7-11D0-89AA-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*970C7E08-05A7-11D0-89AA-00A0C9054129/si"; metadata:policy security-ips drop; reference:bugtraq,5489; reference:cve,2002-0975; reference:url,www.microsoft.com/technet/security/bulletin/MS02-066.mspx; classtype:attempted-user; sid:4179; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID access"; flow:established,to_client; content:"E71B4063-3E59-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E71B4063-3E59-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7924; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|4|00|C|00|7|00|9|00|5|00|9|00|1|00|-|00|D|00|0|00|D|00|E|00|-|00|4|00|9|00|C|00|4|00|-|00|B|00|A|00|3|00|C|00|-|00|A|00|4|00|5|00|A|00|B|00|7|00|0|00|0|00|3|00|3|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x004\x00C\x007\x009\x005\x009\x001\x00-\x00D\x000\x00D\x00E\x00-\x004\x009\x00C\x004\x00-\x00B\x00A\x003\x00C\x00-\x00A\x004\x005\x00A\x00B\x007\x000\x000\x003\x003\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7455; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID access"; flow:established,to_client; content:"1853E19A-4E54-4190-8DEB-2E1CC947CD60"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1853E19A-4E54-4190-8DEB-2E1CC947CD60/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7918; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|4|00|7|00|6|00|C|00|B|00|F|00|F|00|-|00|E|00|2|00|2|00|9|00|-|00|4|00|5|00|2|00|4|00|-|00|B|00|6|00|B|00|7|00|-|00|2|00|2|00|8|00|A|00|3|00|1|00|2|00|9|00|D|00|1|00|C|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x004\x007\x006\x00C\x00B\x00F\x00F\x00-\x00E\x002\x002\x009\x00-\x004\x005\x002\x004\x00-\x00B\x006\x00B\x007\x00-\x002\x002\x008\x00A\x003\x001\x002\x009\x00D\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7471; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8798; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|2|00|3|00|E|00|2|00|8|00|8|00|2|00|-|00|F|00|C|00|0|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|A|00|7|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|6|00|A|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x002\x003\x00E\x002\x008\x008\x002\x00-\x00F\x00C\x000\x00E\x00-\x001\x001\x00D\x001\x00-\x009\x00A\x007\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x006\x00A\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7941; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000 and 2002 Web Components Record Navigation Control ActiveX Object Access"; flow:from_server,established; content:"0002E531-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4178; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID access"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7480; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_UK Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|F|00|7|00|6|00|7|00|0|00|-|00|7|00|F|00|1|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x009\x00F\x007\x006\x007\x000\x00-\x007\x00F\x001\x00A\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8010; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Layout ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6002; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID access"; flow:established,to_client; content:"510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*510A4910-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8015; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Generic Class ActiveX Object Access"; flow:from_server,established; content:"4FAAB301-CEF6-477C-9F58-F601039E9B78"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4FAAB301-CEF6-477C-9F58-F601039E9B78/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4212; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Adodb.Stream ActiveX Object Access"; flow:from_server,established; content:"00000566-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:4982; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|1|00|8|00|8|00|F|00|7|00|A|00|3|00|-|00|A|00|0|00|4|00|E|00|-|00|4|00|1|00|3|00|E|00|-|00|9|00|9|00|D|00|1|00|-|00|D|00|7|00|9|00|A|00|4|00|5|00|F|00|7|00|0|00|3|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x001\x008\x008\x00F\x007\x00A\x003\x00-\x00A\x000\x004\x00E\x00-\x004\x001\x003\x00E\x00-\x009\x009\x00D\x001\x00-\x00D\x007\x009\x00A\x004\x005\x00F\x007\x000\x003\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7473; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID access"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7427; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|D|00|0|00|0|00|0|00|2|00|0|00|C|00|-|00|8|00|B|00|9|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|1|00|6|00|2|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00D\x000\x000\x000\x002\x000\x00C\x00-\x008\x00B\x009\x005\x00-\x001\x001\x00D\x001\x00-\x008\x002\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x001\x006\x002\x005\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7907; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:established,to_client; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-057.mspx; classtype:attempted-user; sid:7985; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft SysTray Invoker ActiveX Object Access"; flow:from_server,established; content:"730F6CDC-2C86-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*730F6CDC-2C86-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4232; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shell Automation Service ActiveX Object Access"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; metadata:policy security-ips drop; reference:bugtraq,9335; classtype:attempted-user; sid:4168; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|5|00|1|00|6|00|F|00|F|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x005\x001\x006\x00F\x00F\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8036; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access"; flow:from_server,established; content:"791fa017-2de3-492e-acc5-53c67a2b94d0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*791fa017-2de3-492e-acc5-53c67a2b94d0/si"; metadata:policy security-ips drop; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,www.microsoft.com/technet/security/bulletin/MS02-046.mspx; classtype:attempted-user; sid:4187; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Active Setup ActiveX Object Access"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; metadata:policy security-ips drop; reference:bugtraq,775; reference:cve,2000-0329; reference:url,www.microsoft.com/technet/security/bulletin/MS99-048.mspx; classtype:attempted-user; sid:4154; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|3|00|E|00|5|00|0|00|B|00|D|00|-|00|A|00|9|00|D|00|7|00|-|00|4|00|7|00|2|00|1|00|-|00|B|00|0|00|E|00|1|00|-|00|0|00|0|00|C|00|B|00|4|00|2|00|A|00|0|00|A|00|7|00|4|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x003\x00E\x005\x000\x00B\x00D\x00-\x00A\x009\x00D\x007\x00-\x004\x007\x002\x001\x00-\x00B\x000\x00E\x001\x00-\x000\x000\x00C\x00B\x004\x002\x00A\x000\x00A\x007\x004\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7430; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID access"; flow:established,to_client; content:"C4D2D8E0-D1DD-11CE-940F-008029004347"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C4D2D8E0-D1DD-11CE-940F-008029004347/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8725; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940280-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940280-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4193; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID access"; flow:established,to_client; content:"03F998B2-0E00-11D3-A498-00104B6EB52E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03F998B2-0E00-11D3-A498-00104B6EB52E/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7878; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|E|00|E|00|4|00|2|00|2|00|9|00|3|00|-|00|C|00|3|00|1|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|6|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|A|00|0|00|6|00|E|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00E\x00E\x004\x002\x002\x009\x003\x00-\x00C\x003\x001\x005\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x006\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x00A\x000\x006\x00E\x001\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7998; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID access"; flow:established,to_client; content:"F9EFBEC2-4302-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9EFBEC2-4302-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6517; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DocHost User Interface Handler ActiveX Object Access"; flow:from_server,established; content:"7057E952-BD1B-11D1-8919-00C04FC2C836"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7057E952-BD1B-11D1-8919-00C04FC2C836/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4226; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX cfw Class ActiveX Object Access"; flow:from_server,established; content:"ECABAFC0-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC0-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4891; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID access"; flow:established,to_client; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47F59200-8783-11D2-8343-00A0C945A819/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8391; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID access"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7492; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID access"; flow:established,to_client; content:"99EA8527-6A6A-40FE-A67C-82CF763902D0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99EA8527-6A6A-40FE-A67C-82CF763902D0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8407; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 7+ ActiveX Object Access"; flow:from_server,established; content:"6BF52A52-394A-11D3-B153-00C04F79FAA6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6BF52A52-394A-11D3-B153-00C04F79FAA6/si"; metadata:policy security-ips drop; reference:bugtraq,12031; reference:bugtraq,12032; reference:bugtraq,2167; reference:cve,2001-0148; reference:cve,2004-1324; reference:cve,2004-1325; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4156; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX clsid access"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7435; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID access"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7448; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|0|00|5|00|E|00|6|00|9|00|0|00|-|00|6|00|7|00|8|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|7|00|5|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|6|00|4|00|F|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x000\x005\x00E\x006\x009\x000\x00-\x006\x007\x008\x00D\x00-\x001\x001\x00D\x001\x00-\x00B\x007\x005\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x006\x004\x00F\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8412; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|4|00|4|00|F|00|4|00|8|00|0|00|6|00|-|00|E|00|8|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|6|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|3|00|0|00|8|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x004\x004\x00F\x004\x008\x000\x006\x00-\x00E\x008\x00A\x008\x00-\x001\x001\x00D\x002\x00-\x009\x006\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x003\x000\x008\x007\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7988; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID access"; flow:established,to_client; content:"D17506C3-6B26-11D0-8914-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D17506C3-6B26-11D0-8914-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8843; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8790; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID access"; flow:established,to_client; content:"18C628EE-962A-11D2-8D08-00A0C9441E20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18C628EE-962A-11D2-8D08-00A0C9441E20/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8379; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Registration Wizard ActiveX Object Access"; flow:from_server,established; content:"50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50E5E3D1-C07E-11D0-B9FD-00A0249F6B00/si"; metadata:policy security-ips drop; reference:bugtraq,671; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4171; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Root ActiveX Object Access"; flow:from_server,established; content:"6E22710F-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710F-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4912; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"BC5F1E51-5110-11D1-AFF5-006097C9A284"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC5F1E51-5110-11D1-AFF5-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4198; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8796; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID access"; flow:established,to_client; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4C6F-AA96-4E4DC6DC291E/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7914; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Log Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|2|00|8|00|8|00|3|00|6|00|6|00|7|00|-|00|E|00|9|00|5|00|C|00|-|00|4|00|4|00|3|00|D|00|-|00|A|00|C|00|9|00|6|00|-|00|4|00|C|00|A|00|C|00|A|00|2|00|7|00|B|00|E|00|B|00|6|00|E|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x002\x008\x008\x003\x006\x006\x007\x00-\x00E\x009\x005\x00C\x00-\x004\x004\x003\x00D\x00-\x00A\x00C\x009\x006\x00-\x004\x00C\x00A\x00C\x00A\x002\x007\x00B\x00E\x00B\x006\x00E\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7481; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|9|00|A|00|D|00|9|00|0|00|E|00|F|00|-|00|1|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x009\x00A\x00D\x009\x000\x00E\x00F\x00-\x001\x00C\x002\x000\x00-\x001\x001\x00D\x001\x00-\x008\x008\x000\x001\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7953; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|3|00|1|00|D|00|1|00|1|00|-|00|6|00|F|00|D|00|2|00|-|00|4|00|6|00|5|00|9|00|-|00|A|00|D|00|7|00|5|00|-|00|1|00|5|00|5|00|F|00|A|00|1|00|4|00|3|00|F|00|4|00|2|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x003\x001\x00D\x001\x001\x00-\x006\x00F\x00D\x002\x00-\x004\x006\x005\x009\x00-\x00A\x00D\x007\x005\x00-\x001\x005\x005\x00F\x00A\x001\x004\x003\x00F\x004\x002\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7443; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x007\x00F\x005\x009\x002\x000\x000\x00-\x008\x007\x008\x003\x00-\x001\x001\x00D\x002\x00-\x008\x003\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x004\x005\x00A\x008\x001\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8392; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|C|00|D|00|E|00|7|00|3|00|4|00|1|00|-|00|3|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|3|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00C\x00D\x00E\x007\x003\x004\x001\x00-\x003\x00C\x002\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x003\x000\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8802; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID access"; flow:established,to_client; content:"F1029E5B-CB5B-11D0-8D59-00C04FD91AC0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F1029E5B-CB5B-11D0-8D59-00C04FD91AC0/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7974; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|C|00|6|00|8|00|9|00|5|00|5|00|E|00|-|00|F|00|9|00|6|00|5|00|-|00|4|00|2|00|4|00|9|00|-|00|8|00|E|00|1|00|8|00|-|00|F|00|0|00|9|00|7|00|7|00|B|00|1|00|D|00|2|00|8|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00C\x006\x008\x009\x005\x005\x00E\x00-\x00F\x009\x006\x005\x00-\x004\x002\x004\x009\x00-\x008\x00E\x001\x008\x00-\x00F\x000\x009\x007\x007\x00B\x001\x00D\x002\x008\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7438; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|2|00|9|00|0|00|B|00|D|00|5|00|-|00|4|00|8|00|A|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|4|00|3|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|C|00|3|00|F|00|B|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x002\x009\x000\x00B\x00D\x005\x00-\x004\x008\x00A\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x004\x003\x002\x00-\x000\x000\x006\x000\x000\x008\x00C\x003\x00F\x00B\x00F\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8065; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID access"; flow:established,to_client; content:"CD00020C-8B95-11D1-82DB-00C04FB1625D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CD00020C-8B95-11D1-82DB-00C04FB1625D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7906; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|6|00|7|00|0|00|D|00|0|00|B|00|3|00|-|00|0|00|5|00|A|00|B|00|-|00|4|00|1|00|1|00|5|00|-|00|9|00|F|00|8|00|7|00|-|00|D|00|9|00|8|00|3|00|E|00|F|00|1|00|A|00|C|00|7|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x006\x007\x000\x00D\x000\x00B\x003\x00-\x000\x005\x00A\x00B\x00-\x004\x001\x001\x005\x00-\x009\x00F\x008\x007\x00-\x00D\x009\x008\x003\x00E\x00F\x001\x00A\x00C\x007\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7895; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|8|00|A|00|4|00|9|00|9|00|C|00|7|00|-|00|F|00|9|00|B|00|0|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|D|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|8|00|1|00|B|00|0|00|3|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x008\x00A\x004\x009\x009\x00C\x007\x00-\x00F\x009\x00B\x000\x00-\x001\x001\x00D\x002\x00-\x009\x003\x00D\x004\x00-\x000\x000\x00A\x000\x00C\x009\x008\x001\x00B\x000\x003\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7883; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|1|00|0|00|5|00|B|00|C|00|3|00|-|00|C|00|0|00|6|00|4|00|-|00|4|00|5|00|F|00|1|00|-|00|A|00|D|00|5|00|3|00|-|00|6|00|D|00|8|00|A|00|8|00|5|00|7|00|8|00|D|00|0|00|1|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x001\x000\x005\x00B\x00C\x003\x00-\x00C\x000\x006\x004\x00-\x004\x005\x00F\x001\x00-\x00A\x00D\x005\x003\x00-\x006\x00D\x008\x00A\x008\x005\x007\x008\x00D\x000\x001\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7491; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID access"; flow:established,to_client; content:"283807B5-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B5-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8765; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06723E09-F4C2-43c8-8358-09FCD1DB0766/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8373; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8819; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT PolyLine Control 2 ActiveX Object Access"; flow:from_server,established; content:"D24D4453-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4453-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4204; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|D|00|3|00|6|00|C|00|E|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00D\x003\x006\x00C\x00E\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8024; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4163; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Progress Ctl ActiveX Object Access"; flow:from_server,established; content:"0006F071-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F071-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4900; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|1|00|7|00|5|00|0|00|6|00|C|00|3|00|-|00|6|00|B|00|2|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x001\x007\x005\x000\x006\x00C\x003\x00-\x006\x00B\x002\x006\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x004\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8844; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX German_German Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|1|00|0|00|A|00|4|00|9|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x001\x000\x00A\x004\x009\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8016; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|0|00|C|00|0|00|7|00|D|00|5|00|6|00|-|00|7|00|C|00|6|00|9|00|-|00|4|00|3|00|F|00|1|00|-|00|B|00|4|00|A|00|0|00|-|00|2|00|5|00|F|00|5|00|A|00|1|00|1|00|F|00|A|00|B|00|1|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x000\x00C\x000\x007\x00D\x005\x006\x00-\x007\x00C\x006\x009\x00-\x004\x003\x00F\x001\x00-\x00B\x004\x00A\x000\x00-\x002\x005\x00F\x005\x00A\x001\x001\x00F\x00A\x00B\x001\x009\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8368; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|F|00|1|00|5|00|8|00|E|00|1|00|-|00|C|00|B|00|0|00|4|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|E|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00F\x001\x005\x008\x00E\x001\x00-\x00C\x00B\x000\x004\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x00E\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8050; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|1|00|1|00|4|00|5|00|5|00|5|00|0|00|-|00|A|00|4|00|5|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|9|00|0|00|2|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|2|00|3|00|9|00|0|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x001\x001\x004\x005\x005\x005\x000\x00-\x00A\x004\x005\x004\x00-\x001\x001\x00D\x004\x00-\x009\x000\x002\x000\x00-\x000\x000\x00D\x000\x00B\x007\x002\x003\x009\x000\x008\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7889; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID access"; flow:established,to_client; content:"AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF604EFE-8897-11D1-B944-00A0C90312E1/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7948; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Interface Definition ActiveX Object Access"; flow:from_server,established; content:"6E227109-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227109-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4906; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC1-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC1-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8834; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShotDetect ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|F|00|B|00|1|00|F|00|C|00|7|00|-|00|2|00|7|00|0|00|D|00|-|00|4|00|9|00|8|00|6|00|-|00|B|00|2|00|9|00|9|00|-|00|F|00|E|00|C|00|F|00|3|00|F|00|0|00|E|00|4|00|2|00|D|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00F\x00B\x001\x00F\x00C\x007\x00-\x002\x007\x000\x00D\x00-\x004\x009\x008\x006\x00-\x00B\x002\x009\x009\x00-\x00F\x00E\x00C\x00F\x003\x00F\x000\x00E\x004\x002\x00D\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7449; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID access"; flow:established,to_client; content:"18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18AB439E-FCF4-40D4-90DA-F79BAA3B0655/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7999; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|9|00|A|00|2|00|C|00|2|00|A|00|6|00|-|00|4|00|7|00|7|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|B|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x009\x00A\x002\x00C\x002\x00A\x006\x00-\x004\x007\x007\x008\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x00B\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7432; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8768; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID access"; flow:established,to_client; content:"FD853CD9-7F86-11D0-8252-00C04FD85AB4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD853CD9-7F86-11D0-8252-00C04FD85AB4/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7916; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID access"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7450; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|1|00|2|00|3|00|2|00|E|00|E|00|-|00|4|00|4|00|D|00|7|00|-|00|4|00|4|00|9|00|4|00|-|00|A|00|B|00|8|00|B|00|-|00|C|00|C|00|6|00|1|00|B|00|1|00|0|00|E|00|2|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x001\x002\x003\x002\x00E\x00E\x00-\x004\x004\x00D\x007\x00-\x004\x004\x009\x004\x00-\x00A\x00B\x008\x00B\x00-\x00C\x00C\x006\x001\x00B\x001\x000\x00E\x002\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7485; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft TipGW Init ActiveX Object Access"; flow:from_server,established; content:"F117831B-C052-11D1-B1C0-00C04FC2F3EF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F117831B-C052-11D1-B1C0-00C04FC2F3EF/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4214; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|D|00|4|00|5|00|2|00|9|00|E|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|5|00|5|00|0|00|-|00|A|00|2|00|E|00|0|00|-|00|C|00|2|00|5|00|D|00|7|00|C|00|5|00|C|00|C|00|0|00|D|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00D\x004\x005\x002\x009\x00E\x00-\x008\x004\x00E\x000\x00-\x004\x005\x005\x000\x00-\x00A\x002\x00E\x000\x00-\x00C\x002\x005\x00D\x007\x00C\x005\x00C\x00C\x000\x00D\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7457; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID access"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7476; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID access"; flow:established,to_client; content:"B1549E58-3894-11D2-BB7F-00A0C999C4C1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1549E58-3894-11D2-BB7F-00A0C999C4C1/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8750; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID access"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7464; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Xml2Dex ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|C|00|6|00|2|00|8|00|E|00|E|00|-|00|9|00|6|00|2|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|D|00|0|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|4|00|1|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00C\x006\x002\x008\x00E\x00E\x00-\x009\x006\x002\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x00D\x000\x008\x00-\x000\x000\x00A\x000\x00C\x009\x004\x004\x001\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8380; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository ActiveX Object Access"; flow:from_server,established; content:"6E227101-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227101-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4225; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Image Control 1.0 ActiveX Object Access"; flow:from_server,established; content:"D4A97620-8E8F-11CF-93CD-00AA00C08FDF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D4A97620-8E8F-11CF-93CD-00AA00C08FDF/si"; metadata:policy security-ips drop; reference:bugtraq,12477; reference:url,www.microsoft.com/technet/security/bulletin/MS05-014.mspx; classtype:attempted-user; sid:4165; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|3|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x003\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7955; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID access"; flow:established,to_client; content:"E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0F158E1-CB04-11D0-BD4E-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8049; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|B|00|B|00|3|00|1|00|0|00|-|00|5|00|D|00|0|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|3|00|B|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00B\x00B\x003\x001\x000\x00-\x005\x00D\x000\x001\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x003\x00B\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8042; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8787; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|C|00|A|00|B|00|B|00|0|00|B|00|F|00|-|00|7|00|F|00|1|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|7|00|8|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|7|00|E|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00C\x00A\x00B\x00B\x000\x00B\x00F\x00-\x007\x00F\x001\x009\x00-\x001\x001\x00D\x002\x00-\x009\x007\x008\x00E\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x007\x00E\x002\x00A\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8034; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access"; flow:from_server,established; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; metadata:policy security-ips drop; reference:bugtraq,793; reference:cve,1999-1110; classtype:attempted-user; sid:4152; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID access"; flow:established,to_client; content:"8241F015-84D3-11d2-97E6-0000F803FF7A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8241F015-84D3-11d2-97E6-0000F803FF7A/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7912; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|E|00|F|00|1|00|0|00|F|00|A|00|2|00|-|00|3|00|5|00|5|00|E|00|-|00|4|00|E|00|0|00|6|00|-|00|9|00|3|00|8|00|1|00|-|00|9|00|B|00|2|00|4|00|D|00|7|00|F|00|7|00|C|00|C|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00E\x00F\x001\x000\x00F\x00A\x002\x00-\x003\x005\x005\x00E\x00-\x004\x00E\x000\x006\x00-\x009\x003\x008\x001\x00-\x009\x00B\x002\x004\x00D\x007\x00F\x007\x00C\x00C\x008\x008\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7931; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Query Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"2C10A98F-D64F-43B4-BED6-DD0E1BF2074C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C10A98F-D64F-43B4-BED6-DD0E1BF2074C/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4233; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX McSubMgr ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|b|00|e|00|8|00|d|00|7|00|b|00|2|00|-|00|3|00|2|00|9|00|c|00|-|00|4|00|4|00|2|00|a|00|-|00|a|00|4|00|a|00|c|00|-|00|a|00|b|00|a|00|9|00|d|00|7|00|5|00|7|00|2|00|6|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00b\x00e\x008\x00d\x007\x00b\x002\x00-\x003\x002\x009\x00c\x00-\x004\x004\x002\x00a\x00-\x00a\x004\x00a\x00c\x00-\x00a\x00b\x00a\x009\x00d\x007\x005\x007\x002\x006\x000\x002\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7865; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Bitmap ActiveX CLSID access"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7429; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Switch Filter ActiveX CLSID access"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7490; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID access"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7496; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8822; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8783; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|7|00|4|00|C|00|A|00|7|00|0|00|F|00|-|00|2|00|2|00|3|00|6|00|-|00|4|00|B|00|A|00|8|00|-|00|A|00|2|00|9|00|7|00|-|00|4|00|B|00|2|00|A|00|2|00|8|00|C|00|2|00|3|00|6|00|3|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x004\x00C\x00A\x007\x000\x00F\x00-\x002\x002\x003\x006\x00-\x004\x00B\x00A\x008\x00-\x00A\x002\x009\x007\x00-\x004\x00B\x002\x00A\x002\x008\x00C\x002\x003\x006\x003\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7459; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID access"; flow:established,to_client; content:"F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7920; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|2|00|4|00|1|00|D|00|B|00|1|00|-|00|E|00|E|00|9|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|2|00|4|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|C|00|9|00|9|00|E|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x002\x004\x001\x00D\x00B\x001\x00-\x00E\x00E\x009\x00F\x00-\x001\x001\x00D\x000\x00-\x009\x008\x002\x004\x00-\x000\x000\x006\x000\x009\x007\x00C\x009\x009\x00E\x005\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8763; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|B|00|2|00|3|00|C|00|2|00|8|00|-|00|4|00|8|00|8|00|E|00|-|00|4|00|e|00|5|00|C|00|-|00|A|00|C|00|E|00|2|00|-|00|B|00|B|00|0|00|B|00|B|00|A|00|B|00|E|00|9|00|9|00|E|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00B\x002\x003\x00C\x002\x008\x00-\x004\x008\x008\x00E\x00-\x004\x00e\x005\x00C\x00-\x00A\x00C\x00E\x002\x00-\x00B\x00B\x000\x00B\x00B\x00A\x00B\x00E\x009\x009\x00E\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:7441; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID access"; flow:established,to_client; content:"63500AE2-0858-11D2-8CE4-00C04F8ECB10"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63500AE2-0858-11D2-8CE4-00C04F8ECB10/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8395; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MsnPUpld ActiveX Object Access"; flow:from_server,established; content:"F107317A-A488-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F107317A-A488-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4173; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Script Definition ActiveX Object Access"; flow:from_server,established; content:"D675E22B-CAE9-11D2-AF7B-00C04F99179F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D675E22B-CAE9-11D2-AF7B-00C04F99179F/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4914; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|D|00|5|00|8|00|8|00|B|00|5|00|-|00|D|00|0|00|8|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|9|00|E|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|8|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x00D\x005\x008\x008\x00B\x005\x00-\x00D\x000\x008\x001\x00-\x001\x001\x00D\x000\x00-\x009\x009\x00E\x000\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x008\x00E\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8052; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID access"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6686; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|0|00|0|00|2|00|B|00|1|00|7|00|-|00|5|00|D|00|9|00|3|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|1|00|E|00|4|00|-|00|8|00|3|00|1|00|F|00|E|00|F|00|7|00|8|00|0|00|A|00|5|00|3|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x000\x000\x002\x00B\x001\x007\x00-\x005\x00D\x009\x003\x00-\x004\x005\x005\x001\x00-\x008\x001\x00E\x004\x00-\x008\x003\x001\x00F\x00E\x00F\x007\x008\x000\x00A\x005\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7483; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID access"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; metadata:policy security-ips drop; reference:cve,2006-1303; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6681; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|C|00|C|00|D|00|D|00|F|00|-|00|C|00|A|00|2|00|8|00|-|00|4|00|9|00|6|00|b|00|-|00|B|00|0|00|5|00|0|00|-|00|6|00|C|00|0|00|7|00|C|00|9|00|6|00|2|00|4|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x00C\x00C\x00D\x00D\x00F\x00-\x00C\x00A\x002\x008\x00-\x004\x009\x006\x00b\x00-\x00B\x000\x005\x000\x00-\x006\x00C\x000\x007\x00C\x009\x006\x002\x004\x007\x006\x00B\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8718; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID access"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7452; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT Icon Control ActiveX Object Access"; flow:from_server,established; content:"D24D4450-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4450-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6006; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|E|00|0|00|4|00|5|00|8|00|1|00|-|00|4|00|E|00|E|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|F|00|E|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|B|00|4|00|3|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x00E\x000\x004\x005\x008\x001\x00-\x004\x00E\x00E\x00E\x00-\x001\x001\x00D\x000\x00-\x00B\x00F\x00E\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x00B\x004\x003\x008\x003\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8020; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8829; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID access"; flow:established,to_client; content:"FD179533-D86E-11D0-89D6-00A0C90833E6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD179533-D86E-11D0-89D6-00A0C90833E6/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8756; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|B|00|E|00|B|00|8|00|A|00|0|00|5|00|-|00|B|00|E|00|E|00|E|00|-|00|4|00|4|00|4|00|2|00|-|00|8|00|0|00|4|00|E|00|-|00|4|00|0|00|9|00|D|00|6|00|C|00|4|00|5|00|1|00|5|00|E|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00B\x00E\x00B\x008\x00A\x000\x005\x00-\x00B\x00E\x00E\x00E\x00-\x004\x004\x004\x002\x00-\x008\x000\x004\x00E\x00-\x004\x000\x009\x00D\x006\x00C\x004\x005\x001\x005\x00E\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7977; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network and Dial-Up Connections ActiveX Object Access"; flow:from_server,established; content:"992CFFA0-F557-101A-88EC-00DD010CCC48"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*992CFFA0-F557-101A-88EC-00DD010CCC48/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4220; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID access"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7468; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ActiveLabel ActiveX Object Access"; flow:from_server,established; content:"99B42120-6EC7-11CF-A6C7-00AA00A47DD2"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99B42120-6EC7-11CF-A6C7-00AA00A47DD2/si"; metadata:policy security-ips drop; reference:bugtraq,5558; reference:cve,2002-0647; reference:url,www.microsoft.com/technet/security/bulletin/MS02-047.mspx; classtype:attempted-user; sid:4147; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID access"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7470; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|0|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x000\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8018; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Smartcard Enrollment ActiveX Object Access"; flow:from_server,established; content:"80CB7887-20DE-11D2-8D5C-00C04FC29D45"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80CB7887-20DE-11D2-8D5C-00C04FC29D45/si"; metadata:policy security-ips drop; reference:cve,2002-0699; reference:url,www.microsoft.com/technet/security/bulletin/MS02-048.mspx; classtype:attempted-user; sid:4181; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8832; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|8|00|5|00|A|00|9|00|1|00|B|00|C|00|-|00|1|00|E|00|8|00|A|00|-|00|4|00|E|00|4|00|A|00|-|00|A|00|7|00|A|00|6|00|-|00|F|00|4|00|F|00|C|00|1|00|E|00|6|00|C|00|A|00|1|00|B|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x008\x005\x00A\x009\x001\x00B\x00C\x00-\x001\x00E\x008\x00A\x00-\x004\x00E\x004\x00A\x00-\x00A\x007\x00A\x006\x00-\x00F\x004\x00F\x00C\x001\x00E\x006\x00C\x00A\x001\x00B\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7927; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8748; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID access"; flow:established,to_client; content:"0006F03A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F03A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8371; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation ActiveX Object Access"; flow:from_server,established; content:"283807B8-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B8-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4202; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8816; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8804; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeInfo ActiveX Object Access"; flow:from_server,established; content:"00020422-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020422-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4895; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8814; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A762-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8047; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"FF2BBC4A-6881-4294-BE0C-17535B1FCCFA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FF2BBC4A-6881-4294-BE0C-17535B1FCCFA/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4161; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID access"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7462; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Multimedia File Property Sheet ActiveX Object Access"; flow:from_server,established; content:"00022613-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00022613-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,5094; classtype:attempted-user; sid:4159; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID access"; flow:established,to_client; content:"760C4B83-E211-11D2-BF3E-00805FBE84A6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*760C4B83-E211-11D2-BF3E-00805FBE84A6/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8401; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"25B0F91C-D23D-11D0-9B85-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25B0F91C-D23D-11D0-9B85-00C04FC2F51D/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8741; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft OpenCable Class ActiveX Object Access"; flow:from_server,established; content:"ABBA001B-3075-11D6-88A4-00B0D0200F88"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ABBA001B-3075-11D6-88A4-00B0D0200F88/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4223; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSOAInterface ActiveX Object Access"; flow:from_server,established; content:"00020424-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020424-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4897; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BA018599-1DB3-44f9-83B4-461454C84BF8/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8719; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|9|00|E|00|1|00|3|00|2|00|F|00|-|00|5|00|6|00|1|00|B|00|-|00|4|00|2|00|F|00|8|00|-|00|8|00|4|00|6|00|C|00|-|00|A|00|7|00|0|00|D|00|B|00|D|00|C|00|6|00|2|00|9|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x009\x00E\x001\x003\x002\x00F\x00-\x005\x006\x001\x00B\x00-\x004\x002\x00F\x008\x00-\x008\x004\x006\x00C\x00-\x00A\x007\x000\x00D\x00B\x00D\x00C\x006\x002\x009\x009\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7487; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8771; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8840; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|8|00|6|00|8|00|3|00|0|00|4|00|-|00|A|00|B|00|0|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|6|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x008\x006\x008\x003\x000\x004\x00-\x00A\x00B\x000\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x007\x006\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8775; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HTML Help ActiveX Object Access"; flow:from_server,established; content:"41B23C28-488E-4e5C-ACE2-BB0BBABE99E8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41B23C28-488E-4e5C-ACE2-BB0BBABE99E8/si"; metadata:policy security-ips drop; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,www.microsoft.com/technet/security/bulletin/MS05-026.mspx; classtype:attempted-user; sid:4183; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID access"; flow:established,to_client; content:"98BFD494-F6AD-4794-9038-832C0654CC43"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98BFD494-F6AD-4794-9038-832C0654CC43/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7900; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID access"; flow:established,to_client; content:"639F725F-1B2D-4831-A9FD-874847682010"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*639F725F-1B2D-4831-A9FD-874847682010/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8365; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|6|00|6|00|D|00|6|00|6|00|F|00|A|00|-|00|9|00|6|00|1|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|4|00|2|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|A|00|E|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x006\x006\x00D\x006\x006\x00F\x00A\x00-\x009\x006\x001\x006\x00-\x001\x001\x00D\x002\x00-\x009\x003\x004\x002\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x00A\x00E\x001\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8032; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office Services on the Web Free/Busy ActiveX Object Access"; flow:from_server,established; content:"F28D867A-DDB1-11D3-B8E8-00A0C981AEEB"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F28D867A-DDB1-11D3-B8E8-00A0C981AEEB/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4217; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|D|00|C|00|6|00|C|00|B|00|8|00|6|00|-|00|4|00|2|00|4|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00D\x00C\x006\x00C\x00B\x008\x006\x00-\x004\x002\x004\x00C\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7911; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMI ASDI Extension ActiveX Object Access"; flow:from_server,established; content:"F0975AFE-5C7F-11D2-8B74-00104B2AFB41"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F0975AFE-5C7F-11D2-8B74-00104B2AFB41/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4236; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID access"; flow:established,to_client; content:"FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD78D554-4C6E-11D0-970D-00A0C9191601/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8005; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|A|00|0|00|1|00|8|00|5|00|9|00|9|00|-|00|1|00|D|00|B|00|3|00|-|00|4|00|4|00|f|00|9|00|-|00|8|00|3|00|B|00|4|00|-|00|4|00|6|00|1|00|4|00|5|00|4|00|C|00|8|00|4|00|B|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00A\x000\x001\x008\x005\x009\x009\x00-\x001\x00D\x00B\x003\x00-\x004\x004\x00f\x009\x00-\x008\x003\x00B\x004\x00-\x004\x006\x001\x004\x005\x004\x00C\x008\x004\x00B\x00F\x008\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8720; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Alias ActiveX Object Access"; flow:from_server,established; content:"62EC9F22-5E30-11D2-97A1-00C04FB6DD9A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*62EC9F22-5E30-11D2-97A1-00C04FB6DD9A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4904; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D20-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D20-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7956; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID access"; flow:established,to_client; content:"53C74826-AB99-4D33-ACA4-3117F51D3788"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*53C74826-AB99-4D33-ACA4-3117F51D3788/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7932; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|0|00|5|00|0|00|F|00|3|00|9|00|1|00|-|00|9|00|8|00|B|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|B|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|C|00|E|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x000\x005\x000\x00F\x003\x009\x001\x00-\x009\x008\x00B\x005\x00-\x001\x001\x00C\x00F\x00-\x00B\x00B\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x00D\x00C\x00E\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8026; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID access"; flow:established,to_client; content:"85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85BBD920-42A0-1069-A2E4-08002B30309D/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8039; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Route ActiveX Object Access"; flow:from_server,established; content:"1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6003; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|2|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x002\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8048; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Picture Shape Control ActiveX Object Access"; flow:from_server,established; content:"6CBE0382-A879-4D2A-8EC3-1F2A43611BA8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6CBE0382-A879-4D2A-8EC3-1F2A43611BA8/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4213; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID access"; flow:established,to_client; content:"85A4A99C-8C3D-499E-A386-E0743DFF8FB7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85A4A99C-8C3D-499E-A386-E0743DFF8FB7/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8735; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|D|00|2|00|8|00|D|00|0|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00D\x002\x008\x00D\x000\x00-\x008\x00B\x00F\x004\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8008; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID access"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7466; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access"; flow:established,to_client; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F5B7F63-F06F-4331-8A26-339E03C0AE3D/si"; metadata:policy security-ips drop; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; sid:8369; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|D|00|0|00|8|00|B|00|5|00|8|00|6|00|-|00|3|00|4|00|3|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|4|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|F|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00D\x000\x008\x00B\x005\x008\x006\x00-\x003\x004\x003\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x004\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00F\x00D\x00F\x00F\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8028; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Helper Object for Java ActiveX Object Access"; flow:from_server,established; content:"8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4235; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|C|00|0|00|D|00|6|00|9|00|A|00|8|00|-|00|0|00|9|00|2|00|3|00|-|00|4|00|E|00|E|00|E|00|-|00|9|00|3|00|7|00|5|00|-|00|9|00|2|00|3|00|9|00|F|00|5|00|A|00|3|00|8|00|B|00|9|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00C\x000\x00D\x006\x009\x00A\x008\x00-\x000\x009\x002\x003\x00-\x004\x00E\x00E\x00E\x00-\x009\x003\x007\x005\x00-\x009\x002\x003\x009\x00F\x005\x00A\x003\x008\x00B\x009\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7426; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID access"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7454; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|8|00|6|00|F|00|B|00|4|00|8|00|6|00|-|00|5|00|5|00|6|00|0|00|-|00|4|00|F|00|F|00|3|00|-|00|9|00|6|00|D|00|F|00|-|00|1|00|1|00|1|00|8|00|C|00|9|00|6|00|A|00|F|00|4|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x008\x006\x00F\x00B\x004\x008\x006\x00-\x005\x005\x006\x000\x00-\x004\x00F\x00F\x003\x00-\x009\x006\x00D\x00F\x00-\x001\x001\x001\x008\x00C\x009\x006\x00A\x00F\x004\x005\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7501; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItems3 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|3|00|C|00|7|00|4|00|8|00|2|00|6|00|-|00|A|00|B|00|9|00|9|00|-|00|4|00|D|00|3|00|3|00|-|00|A|00|C|00|A|00|4|00|-|00|3|00|1|00|1|00|7|00|F|00|5|00|1|00|D|00|3|00|7|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x003\x00C\x007\x004\x008\x002\x006\x00-\x00A\x00B\x009\x009\x00-\x004\x00D\x003\x003\x00-\x00A\x00C\x00A\x004\x00-\x003\x001\x001\x007\x00F\x005\x001\x00D\x003\x007\x008\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7933; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CommunicationManager ActiveX CLSID access"; flow:established,to_client; content:"67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DCC487-AA48-11D1-8F4F-00C04FB611C7/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8001; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7875; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSAPP Export Support for Microsoft Access ActiveX Object Access"; flow:from_server,established; content:"98CB4060-D3E7-42A1-8D65-949D34EBFE14"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98CB4060-D3E7-42A1-8D65-949D34EBFE14/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4229; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID access"; flow:established,to_client; content:"844F4806-E8A8-11D2-9652-00C04FC30871"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*844F4806-E8A8-11D2-9652-00C04FC30871/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7987; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|D|00|A|00|2|00|A|00|A|00|3|00|E|00|-|00|3|00|D|00|9|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|2|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00D\x00A\x002\x00A\x00A\x003\x00E\x00-\x003\x00D\x009\x006\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x002\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7445; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|5|00|0|00|0|00|A|00|E|00|2|00|-|00|0|00|8|00|5|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|C|00|E|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|8|00|E|00|C|00|B|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x005\x000\x000\x00A\x00E\x002\x00-\x000\x008\x005\x008\x00-\x001\x001\x00D\x002\x00-\x008\x00C\x00E\x004\x00-\x000\x000\x00C\x000\x004\x00F\x008\x00E\x00C\x00B\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8396; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID access"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7442; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Setup BBS 4.71.0.10 ActiveX Object Access"; flow:from_server,established; content:"8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8F0F5093-0A70-11D0-BCA9-00C04FD85AA6/si"; metadata:policy security-ips drop; reference:bugtraq,668; reference:cve,1999-1484; classtype:attempted-user; sid:4157; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Stream ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|6|00|6|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x006\x006\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,www.microsoft.com/technet/security/bulletin/ms04-025.mspx; classtype:attempted-user; sid:8062; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID access"; flow:established,to_client; content:"0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0D43FE01-F093-11CF-8940-00A0C9054228/si"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8069; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ACM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|1|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x001\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7992; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|6|00|F|00|F|00|C|00|2|00|4|00|C|00|-|00|7|00|E|00|1|00|3|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|4|00|7|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x006\x00F\x00F\x00C\x002\x004\x00C\x00-\x007\x00E\x001\x003\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x004\x007\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7951; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|B|00|4|00|3|00|9|00|E|00|-|00|F|00|C|00|F|00|4|00|-|00|4|00|0|00|D|00|4|00|-|00|9|00|0|00|D|00|A|00|-|00|F|00|7|00|9|00|B|00|A|00|A|00|3|00|B|00|0|00|6|00|5|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00A\x00B\x004\x003\x009\x00E\x00-\x00F\x00C\x00F\x004\x00-\x004\x000\x00D\x004\x00-\x009\x000\x00D\x00A\x00-\x00F\x007\x009\x00B\x00A\x00A\x003\x00B\x000\x006\x005\x005\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8000; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Windows Reporting Tool ActiveX Object Access"; flow:from_server,established; content:"167701E3-FDCF-11D0-A48E-006097C549FF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*167701E3-FDCF-11D0-A48E-006097C549FF/si"; metadata:policy security-ips drop; reference:bugtraq,8454; reference:cve,2003-0530; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; classtype:attempted-user; sid:4160; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8807; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LexRefStEsObject Class ActiveX Object Access"; flow:from_server,established; content:"4CFB5280-800B-4367-848F-5A13EBF27F1D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CFB5280-800B-4367-848F-5A13EBF27F1D/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4208; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|1|00|C|00|6|00|6|00|9|00|C|00|7|00|-|00|E|00|D|00|D|00|D|00|-|00|4|00|2|00|7|00|7|00|-|00|B|00|F|00|5|00|E|00|-|00|6|00|4|00|8|00|0|00|7|00|C|00|B|00|8|00|D|00|C|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x001\x00C\x006\x006\x009\x00C\x007\x00-\x00E\x00D\x00D\x00D\x00-\x004\x002\x007\x007\x00-\x00B\x00F\x005\x00E\x00-\x006\x004\x008\x000\x007\x00C\x00B\x008\x00D\x00C\x00E\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8394; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Active Setup ActiveX Object Access"; flow:from_server,established; content:"F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1/si"; metadata:policy security-ips drop; reference:bugtraq,667; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4169; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|F|00|9|00|9|00|C|00|6|00|B|00|-|00|A|00|3|00|A|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|F|00|6|00|4|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|6|00|1|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x00F\x009\x009\x00C\x006\x00B\x00-\x00A\x003\x00A\x006\x00-\x001\x001\x00D\x004\x00-\x00A\x00F\x006\x004\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x006\x001\x007\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7893; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID access"; flow:established,to_client; content:"06290BD5-48AA-11D2-8432-006008C3FBFC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06290BD5-48AA-11D2-8432-006008C3FBFC/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,www.microsoft.com/technet/security/Bulletin/MS99-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; classtype:attempted-user; sid:8064; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8825; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RDS.Dataspace ActiveX Object Access"; flow:from_server,established; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD96C556-65A3-11D0-983A-00C04FC29E36/si"; metadata:policy security-ips drop; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,www.microsoft.com/technet/security/bulletin/MS06-014.mspx; classtype:attempted-user; sid:6009; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|D|00|4|00|3|00|F|00|E|00|0|00|1|00|-|00|F|00|0|00|9|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|4|00|2|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,www.microsoft.com/technet/security/bulletin/ms00-075.mspx; classtype:attempted-user; sid:8070; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Circular Auto Layout Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406342-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406342-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6004; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|8|00|A|00|B|00|E|00|1|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|4|00|1|00|C|00|1|00|-|00|A|00|B|00|A|00|3|00|-|00|0|00|5|00|1|00|B|00|6|00|F|00|1|00|1|00|2|00|B|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x008\x00A\x00B\x00E\x001\x002\x003\x00-\x00F\x00A\x00C\x004\x00-\x004\x001\x00C\x001\x00-\x00A\x00B\x00A\x003\x00-\x000\x005\x001\x00B\x006\x00F\x001\x001\x002\x00B\x008\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7885; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX English_US Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|E|00|E|00|D|00|4|00|C|00|2|00|0|00|-|00|7|00|F|00|1|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00E\x00E\x00D\x004\x00C\x002\x000\x00-\x007\x00F\x001\x00B\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8012; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MTSEvents Class ActiveX Object Access"; flow:from_server,established; content:"ECABB0AB-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0AB-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4892; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID access"; flow:established,to_client; content:"C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8021; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections Tray ActiveX Object Access"; flow:from_server,established; content:"7007ACCF-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACCF-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4219; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID access"; flow:established,to_client; content:"BB339A46-7C49-11d2-9BF3-00C04FA34789"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB339A46-7C49-11d2-9BF3-00C04FA34789/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8753; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Business Object Factory ActiveX CLSID access"; flow:established,to_client; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AB9BCEDD-EC7E-47E1-9322-D4A210617116/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8363; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|1|00|B|00|0|00|9|00|0|00|6|00|6|00|-|00|C|00|9|00|5|00|C|00|-|00|4|00|E|00|F|00|6|00|-|00|8|00|D|00|F|00|D|00|-|00|3|00|D|00|D|00|0|00|A|00|F|00|E|00|6|00|1|00|0|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x001\x00B\x000\x009\x000\x006\x006\x00-\x00C\x009\x005\x00C\x00-\x004\x00E\x00F\x006\x00-\x008\x00D\x00F\x00D\x00-\x003\x00D\x00D\x000\x00A\x00F\x00E\x006\x001\x000\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7899; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access"; flow:from_server,established; content:"F27CE930-4CA3-11D1-AFF2-006097C9A284"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F27CE930-4CA3-11D1-AFF2-006097C9A284/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4199; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8777; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QuickTime Object ActiveX CLSID access"; flow:established,to_client; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8375; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID access"; flow:established,to_client; content:"9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9478F640-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8037; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call"; flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX 9x8Resize ActiveX CLSID access"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7425; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Msb1geen.dll ActiveX Object Access"; flow:from_server,established; content:"208DD6A3-E12B-4755-9607-2E39EF84CFC5"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*208DD6A3-E12B-4755-9607-2E39EF84CFC5/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4210; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX HHOpen ActiveX Object Access"; flow:from_server,established; content:"130D7743-5F5A-11D1-B676-00A0C9697233"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*130D7743-5F5A-11D1-B676-00A0C9697233/si"; metadata:policy security-ips drop; reference:bugtraq,669; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4192; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID access"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7433; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Relationship Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710D-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710D-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4910; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|3|00|3|00|4|00|4|00|D|00|8|00|-|00|7|00|0|00|D|00|3|00|-|00|4|00|0|00|3|00|2|00|-|00|9|00|B|00|3|00|2|00|-|00|7|00|A|00|3|00|C|00|A|00|D|00|5|00|0|00|9|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x003\x003\x004\x004\x00D\x008\x00-\x007\x000\x00D\x003\x00-\x004\x000\x003\x002\x00-\x009\x00B\x003\x002\x00-\x007\x00A\x003\x00C\x00A\x00D\x005\x000\x009\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6685; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|5|00|3|00|E|00|1|00|9|00|A|00|-|00|4|00|E|00|5|00|4|00|-|00|4|00|1|00|9|00|0|00|-|00|8|00|D|00|E|00|B|00|-|00|2|00|E|00|1|00|C|00|C|00|9|00|4|00|7|00|C|00|D|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x005\x003\x00E\x001\x009\x00A\x00-\x004\x00E\x005\x004\x00-\x004\x001\x009\x000\x00-\x008\x00D\x00E\x00B\x00-\x002\x00E\x001\x00C\x00C\x009\x004\x007\x00C\x00D\x006\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7919; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID access"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7456; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BEC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8747; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8823; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX syncui.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|B|00|B|00|D|00|9|00|2|00|0|00|-|00|4|00|2|00|A|00|0|00|-|00|1|00|0|00|6|00|9|00|-|00|A|00|2|00|E|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|B|00|3|00|0|00|3|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00B\x00B\x00D\x009\x002\x000\x00-\x004\x002\x00A\x000\x00-\x001\x000\x006\x009\x00-\x00A\x002\x00E\x004\x00-\x000\x008\x000\x000\x002\x00B\x003\x000\x003\x000\x009\x00D\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8040; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft VideoPort ActiveX Object Access"; flow:from_server,established; content:"CE292861-FC88-11D0-9E69-00C04FD7C15B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CE292861-FC88-11D0-9E69-00C04FD7C15B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4224; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Eyedog ActiveX Object Access"; flow:from_server,established; content:"06A7EC63-4E21-11D0-A112-00A0C90543AA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06A7EC63-4E21-11D0-A112-00A0C90543AA/si"; metadata:policy security-ips drop; reference:bugtraq,619; reference:cve,1999-0669; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:4153; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|3|00|1|00|E|00|8|00|7|00|C|00|4|00|-|00|8|00|6|00|E|00|A|00|-|00|4|00|9|00|4|00|0|00|-|00|9|00|B|00|8|00|A|00|-|00|5|00|B|00|D|00|5|00|D|00|1|00|7|00|9|00|A|00|7|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x003\x001\x00E\x008\x007\x00C\x004\x00-\x008\x006\x00E\x00A\x00-\x004\x009\x004\x000\x00-\x009\x00B\x008\x00A\x00-\x005\x00B\x00D\x005\x00D\x001\x007\x009\x00A\x007\x003\x007\x00/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7923; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID access"; flow:established,to_client; content:"4F241DB1-EE9F-11D0-9824-006097C99E51"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F241DB1-EE9F-11D0-9824-006097C99E51/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8762; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|D|00|2|00|D|00|8|00|E|00|0|00|-|00|D|00|1|00|D|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|4|00|0|00|F|00|-|00|0|00|0|00|8|00|0|00|2|00|9|00|0|00|0|00|4|00|3|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x00D\x002\x00D\x008\x00E\x000\x00-\x00D\x001\x00D\x00D\x00-\x001\x001\x00C\x00E\x00-\x009\x004\x000\x00F\x00-\x000\x000\x008\x000\x002\x009\x000\x000\x004\x003\x004\x007\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,www.microsoft.com/technet/security/bulletin/MS00-085.mspx; classtype:attempted-user; sid:8726; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID access"; flow:established,to_client; content:"B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0516FF0-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8035; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX SuperBuddy Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|9|00|5|00|0|00|4|00|B|00|8|00|-|00|5|00|0|00|D|00|1|00|-|00|4|00|A|00|A|00|8|00|-|00|B|00|4|00|D|00|6|00|-|00|9|00|5|00|C|00|8|00|F|00|5|00|8|00|A|00|6|00|4|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x009\x005\x000\x004\x00B\x008\x00-\x005\x000\x00D\x001\x00-\x004\x00A\x00A\x008\x00-\x00B\x004\x00D\x006\x00-\x009\x005\x00C\x008\x00F\x005\x008\x00A\x006\x004\x001\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7984; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|3|00|0|00|F|00|D|00|0|00|2|00|C|00|-|00|B|00|B|00|E|00|7|00|-|00|4|00|E|00|B|00|9|00|-|00|9|00|1|00|C|00|F|00|-|00|F|00|C|00|4|00|5|00|C|00|C|00|9|00|1|00|E|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x003\x000\x00F\x00D\x000\x002\x00C\x00-\x00B\x00B\x00E\x007\x00-\x004\x00E\x00B\x009\x00-\x009\x001\x00C\x00F\x00-\x00F\x00C\x004\x005\x00C\x00C\x009\x001\x00E\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7493; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|3|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x003\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8046; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|D|00|2|00|B|00|8|00|4|00|1|00|-|00|7|00|6|00|9|00|2|00|-|00|4|00|C|00|8|00|3|00|-|00|A|00|F|00|D|00|3|00|-|00|F|00|6|00|0|00|E|00|8|00|4|00|5|00|3|00|4|00|1|00|A|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00D\x002\x00B\x008\x004\x001\x00-\x007\x006\x009\x002\x00-\x004\x00C\x008\x003\x00-\x00A\x00F\x00D\x003\x00-\x00F\x006\x000\x00E\x008\x004\x005\x003\x004\x001\x00A\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7499; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Network Connections ActiveX Object Access"; flow:from_server,established; content:"7007ACC7-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACC7-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4227; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|E|00|F|00|B|00|E|00|C|00|2|00|-|00|4|00|3|00|0|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x00E\x00F\x00B\x00E\x00C\x002\x00-\x004\x003\x000\x002\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:cve,2006-2383; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6518; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Record Queue ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|B|00|4|00|B|00|0|00|5|00|E|00|B|00|-|00|1|00|F|00|6|00|3|00|-|00|4|00|4|00|6|00|B|00|-|00|A|00|A|00|D|00|1|00|-|00|E|00|1|00|0|00|A|00|3|00|4|00|D|00|6|00|5|00|0|00|E|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00B\x004\x00B\x000\x005\x00E\x00B\x00-\x001\x00F\x006\x003\x00-\x004\x004\x006\x00B\x00-\x00A\x00A\x00D\x001\x00-\x00E\x001\x000\x00A\x003\x004\x00D\x006\x005\x000\x00E\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7447; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID access"; flow:established,to_client; content:"742D385A-D5BF-427D-9AF2-88258FB73EAF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*742D385A-D5BF-427D-9AF2-88258FB73EAF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8399; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8786; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Editing ActiveX Object Access"; flow:from_server,established; content:"6D940285-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940285-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4186; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VisualExec Control ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|9|00|E|00|A|00|8|00|5|00|2|00|7|00|-|00|6|00|A|00|6|00|A|00|-|00|4|00|0|00|F|00|E|00|-|00|A|00|6|00|7|00|C|00|-|00|8|00|2|00|C|00|F|00|7|00|6|00|3|00|9|00|0|00|2|00|D|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x009\x00E\x00A\x008\x005\x002\x007\x00-\x006\x00A\x006\x00A\x00-\x004\x000\x00F\x00E\x00-\x00A\x006\x007\x00C\x00-\x008\x002\x00C\x00F\x007\x006\x003\x009\x000\x002\x00D\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8408; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Dynamic Casts ActiveX function call"; flow:established,to_client; content:"DirectAnimation.DATuple"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7436; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatq.dll ActiveX CLSID access"; flow:established,to_client; content:"B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7995; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Method Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710B-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710B-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4908; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|3|00|5|00|D|00|C|00|2|00|2|00|-|00|1|00|C|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|B|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|5|00|8|00|A|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x003\x005\x00D\x00C\x002\x002\x00-\x001\x00C\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x00B\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x005\x008\x00A\x000\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8067; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX clbcatex.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|4|00|6|00|F|00|0|00|A|00|0|00|-|00|D|00|3|00|6|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|8|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|2|00|3|00|1|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x004\x006\x00F\x000\x00A\x000\x00-\x00D\x003\x006\x007\x00-\x001\x001\x00D\x001\x00-\x008\x002\x008\x006\x00-\x000\x000\x00A\x000\x00C\x009\x002\x003\x001\x00C\x002\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7994; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID access"; flow:established,to_client; content:"B0A6BAE2-AAF0-11D0-A152-00A0C908DB96"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0A6BAE2-AAF0-11D0-A152-00A0C908DB96/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8759; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Allocator Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|0|00|D|00|0|00|7|00|6|00|C|00|5|00|-|00|E|00|4|00|C|00|6|00|-|00|4|00|5|00|6|00|1|00|-|00|8|00|B|00|F|00|4|00|-|00|8|00|0|00|D|00|A|00|8|00|D|00|B|00|8|00|1|00|9|00|D|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x000\x00D\x000\x007\x006\x00C\x005\x00-\x00E\x004\x00C\x006\x00-\x004\x005\x006\x001\x00-\x008\x00B\x00F\x004\x00-\x008\x000\x00D\x00A\x008\x00D\x00B\x008\x001\x009\x00D\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7428; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID access"; flow:established,to_client; content:"52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8003; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|6|00|7|00|3|00|D|00|C|00|F|00|2|00|-|00|C|00|3|00|1|00|6|00|-|00|4|00|C|00|6|00|F|00|-|00|A|00|A|00|9|00|6|00|-|00|4|00|E|00|4|00|D|00|C|00|6|00|D|00|C|00|2|00|9|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x006\x007\x003\x00D\x00C\x00F\x002\x00-\x00C\x003\x001\x006\x00-\x004\x00C\x006\x00F\x00-\x00A\x00A\x009\x006\x00-\x004\x00E\x004\x00D\x00C\x006\x00D\x00C\x002\x009\x001\x00E\x00/si"; metadata:policy security-ips drop; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; classtype:attempted-user; sid:7915; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PostBootReminder object ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|8|00|4|00|9|00|5|00|9|00|6|00|A|00|-|00|4|00|8|00|E|00|A|00|-|00|4|00|8|00|6|00|E|00|-|00|8|00|9|00|3|00|7|00|-|00|A|00|2|00|A|00|3|00|0|00|0|00|9|00|F|00|3|00|1|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x008\x004\x009\x005\x009\x006\x00A\x00-\x004\x008\x00E\x00A\x00-\x004\x008\x006\x00E\x00-\x008\x009\x003\x007\x00-\x00A\x002\x00A\x003\x000\x000\x009\x00F\x003\x001\x00A\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7971; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX French_French Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|A|00|6|00|E|00|B|00|0|00|5|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00A\x006\x00E\x00B\x000\x005\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8014; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID access"; flow:established,to_client; content:"C1145550-A454-11D4-9020-00D0B7239081"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C1145550-A454-11D4-9020-00D0B7239081/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7888; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL Phobos Class ActiveX CLSID access"; flow:established,to_client; content:"D9F99C6B-A3A6-11D4-AF64-444553546170"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D9F99C6B-A3A6-11D4-AF64-444553546170/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7892; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID access"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7498; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID access"; flow:established,to_client; content:"50B4791F-4731-11D0-8912-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50B4791F-4731-11D0-8912-00C04FC2A0CA/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8744; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DocFind Command ActiveX CLSID access"; flow:established,to_client; content:"B005E690-678D-11D1-B758-00A0C90564FE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B005E690-678D-11D1-B758-00A0C90564FE/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8411; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR Allocator Presenter 9 ActiveX Object Access"; flow:from_server,established; content:"2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4901; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|C|00|B|00|0|00|8|00|C|00|E|00|-|00|A|00|B|00|3|00|D|00|-|00|4|00|7|00|7|00|9|00|-|00|9|00|C|00|7|00|7|00|-|00|6|00|2|00|A|00|4|00|3|00|9|00|B|00|F|00|E|00|6|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00C\x00B\x000\x008\x00C\x00E\x00-\x00A\x00B\x003\x00D\x00-\x004\x007\x007\x009\x00-\x009\x00C\x007\x007\x00-\x006\x002\x00A\x004\x003\x009\x00B\x00F\x00E\x006\x00C\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7897; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|1|00|5|00|4|00|9|00|E|00|5|00|8|00|-|00|3|00|8|00|9|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|B|00|7|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|9|00|9|00|C|00|4|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x001\x005\x004\x009\x00E\x005\x008\x00-\x003\x008\x009\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00B\x007\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x009\x009\x00C\x004\x00C\x001\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8751; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|A|00|0|00|4|00|D|00|9|00|3|00|B|00|-|00|1|00|E|00|D|00|D|00|-|00|4|00|F|00|3|00|F|00|-|00|A|00|3|00|7|00|5|00|-|00|A|00|0|00|3|00|E|00|C|00|1|00|9|00|5|00|7|00|2|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00A\x000\x004\x00D\x009\x003\x00B\x00-\x001\x00E\x00D\x00D\x00-\x004\x00F\x003\x00F\x00-\x00A\x003\x007\x005\x00-\x00A\x000\x003\x00E\x00C\x001\x009\x005\x007\x002\x00C\x004\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7947; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeComp ActiveX Object Access"; flow:from_server,established; content:"00020425-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020425-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4898; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MPEG-4 Video Decompressor Property Page ActiveX Object Access"; flow:from_server,established; content:"598EBA02-B49A-11D2-A1C1-00609778EA66"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*598EBA02-B49A-11D2-A1C1-00609778EA66/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4206; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID access"; flow:established,to_client; content:"69AD90EF-1C20-11D1-8801-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69AD90EF-1C20-11D1-8801-00C04FC29D46/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7952; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX IAVIStream & IAVIFile Proxy ActiveX Object Access"; flow:from_server,established; content:"0002000D-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002000D-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4890; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Queued Components Recorder ActiveX Object Access"; flow:from_server,established; content:"ECABAFC2-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC2-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4201; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8820; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX htmlfile ActiveX Object Access"; flow:from_server,established; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy security-ips drop; reference:bugtraq,1718; reference:cve,2001-0149; reference:url,www.microsoft.com/technet/security/bulletin/MS01-015.mspx; classtype:attempted-user; sid:4155; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|2|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x002\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8044; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID access"; flow:established,to_client; content:"9F8E6421-3D9B-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F8E6421-3D9B-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7936; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BDE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8837; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID access"; flow:established,to_client; content:"6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D36CE10-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8023; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BCC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8780; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|5|00|3|00|3|00|5|00|9|00|C|00|1|00|-|00|3|00|9|00|E|00|1|00|-|00|4|00|9|00|1|00|b|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|6|00|4|00|F|00|D|00|8|00|A|00|B|00|0|00|7|00|1|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x005\x003\x003\x005\x009\x00C\x001\x00-\x003\x009\x00E\x001\x00-\x004\x009\x001\x00b\x00-\x009\x009\x005\x001\x00-\x004\x006\x004\x00F\x00D\x008\x00A\x00B\x000\x007\x001\x00C\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6683; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ADODB.Recordset ActiveX CLSID access"; flow:established,to_client; content:"00000535-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000535-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7868; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|7|00|1|00|B|00|4|00|0|00|6|00|3|00|-|00|3|00|E|00|5|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x007\x001\x00B\x004\x000\x006\x003\x00-\x003\x00E\x005\x009\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7925; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8799; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID access"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7474; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8769; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID access"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7458; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|8|00|E|00|6|00|4|00|2|00|1|00|-|00|3|00|D|00|9|00|B|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x008\x00E\x006\x004\x002\x001\x00-\x003\x00D\x009\x00B\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7937; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|8|00|5|00|3|00|C|00|D|00|9|00|-|00|7|00|F|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|2|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|5|00|A|00|B|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x008\x005\x003\x00C\x00D\x009\x00-\x007\x00F\x008\x006\x00-\x001\x001\x00D\x000\x00-\x008\x002\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x005\x00A\x00B\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7917; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Volume ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|E|00|E|00|4|00|3|00|D|00|6|00|-|00|B|00|F|00|E|00|5|00|-|00|4|00|4|00|B|00|0|00|-|00|8|00|0|00|6|00|3|00|-|00|A|00|C|00|3|00|B|00|2|00|9|00|6|00|6|00|A|00|B|00|2|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x00E\x00E\x004\x003\x00D\x006\x00-\x00B\x00F\x00E\x005\x00-\x004\x004\x00B\x000\x00-\x008\x000\x006\x003\x00-\x00A\x00C\x003\x00B\x002\x009\x006\x006\x00A\x00B\x002\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7497; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|E|00|A|00|1|00|0|00|0|00|3|00|1|00|-|00|0|00|0|00|3|00|3|00|-|00|4|00|5|00|0|00|E|00|-|00|8|00|0|00|7|00|2|00|-|00|E|00|2|00|7|00|D|00|9|00|E|00|7|00|6|00|8|00|1|00|4|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00E\x00A\x001\x000\x000\x003\x001\x00-\x000\x000\x003\x003\x00-\x004\x005\x000\x00E\x00-\x008\x000\x007\x002\x00-\x00E\x002\x007\x00D\x009\x00E\x007\x006\x008\x001\x004\x002\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7463; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID access"; flow:established,to_client; content:"0002E552-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E552-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,www.microsoft.com/technet/security/Bulletin/MS02-044.mspx; classtype:attempted-user; sid:7874; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|3|00|F|00|9|00|9|00|8|00|B|00|2|00|-|00|0|00|E|00|0|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|A|00|4|00|9|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|E|00|B|00|5|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x003\x00F\x009\x009\x008\x00B\x002\x00-\x000\x00E\x000\x000\x00-\x001\x001\x00D\x003\x00-\x00A\x004\x009\x008\x00-\x000\x000\x001\x000\x004\x00B\x006\x00E\x00B\x005\x002\x00E\x00/si"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7879; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|D|00|2|00|0|00|D|00|4|00|B|00|B|00|-|00|B|00|4|00|7|00|E|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|3|00|B|00|D|00|-|00|E|00|3|00|C|00|2|00|E|00|E|00|2|00|5|00|0|00|D|00|2|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00D\x002\x000\x00D\x004\x00B\x00B\x00-\x00B\x004\x007\x00E\x00-\x004\x00F\x00B\x007\x00-\x008\x003\x00B\x00D\x00-\x00E\x003\x00C\x002\x00E\x00E\x002\x005\x000\x00D\x002\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7475; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Third-Party Plugin ActiveX Object Access"; flow:from_server,established; content:"06DD38D3-D187-11CF-A80D-00C04FD74AD8"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06DD38D3-D187-11CF-A80D-00C04FD74AD8/si"; metadata:policy security-ips drop; reference:cve,2003-0233; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-user; sid:4189; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID access"; flow:established,to_client; content:"860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860BB310-5D01-11D0-BD3B-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8041; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID access"; flow:established,to_client; content:"8BD21D30-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D30-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; reference:cve,1999-0384; reference:url,www.microsoft.com/technet/security/bulletin/ms99-001.mspx; classtype:attempted-user; sid:7954; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8772; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Outllib.dll ActiveX Object Access"; flow:from_server,established; content:"0006F02A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F02A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4222; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX FolderItem2 ActiveX CLSID access"; flow:established,to_client; content:"FEF10FA2-355E-4E06-9381-9B24D7F7CC88"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FEF10FA2-355E-4E06-9381-9B24D7F7CC88/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7930; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX System Monitor Source Properties ActiveX Object Access"; flow:from_server,established; content:"0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CF32AA1-7571-11D0-93C4-00AA00A3DDEA/si"; metadata:policy security-ips drop; reference:bugtraq,7384; classtype:attempted-user; sid:4151; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RAV Online Scanner ActiveX Object Access"; flow:from_server,established; content:"D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249/si"; metadata:policy security-ips drop; reference:bugtraq,11448; reference:cve,2004-0936; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4188; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|2|00|4|00|1|00|F|00|0|00|1|00|5|00|-|00|8|00|4|00|D|00|3|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|7|00|E|00|6|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|3|00|F|00|F|00|7|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x002\x004\x001\x00F\x000\x001\x005\x00-\x008\x004\x00D\x003\x00-\x001\x001\x00d\x002\x00-\x009\x007\x00E\x006\x00-\x000\x000\x000\x000\x00F\x008\x000\x003\x00F\x00F\x007\x00A\x00/si"; metadata:policy security-ips drop; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7913; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID access"; flow:established,to_client; content:"8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8EE42293-C315-11D0-8D6F-00A0C9A06E1F/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7997; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID access"; flow:established,to_client; content:"ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0BF-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8033; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access"; flow:established,to_client; content:"8B21775E-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:cve,2007-2216; reference:url,www.microsoft.com/technet/security/bulletin/ms07-045.mspx; classtype:attempted-user; sid:12269; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID access"; flow:established,to_client; content:"623E2882-FC0E-11D1-9A77-0000F8756A10"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*623E2882-FC0E-11D1-9A77-0000F8756A10/si"; metadata:policy security-ips drop; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7940; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID access"; flow:established,to_client; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8CCCDDF-CA28-496b-B050-6C07C962476B/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8717; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Frame Eater ActiveX CLSID access"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7437; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID access"; flow:established,to_client; content:"D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2923B86-15F1-46FF-A19A-DE825F919576/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7989; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WebDetectFrm ActiveX CLSID access"; flow:established,to_client; content:"61C669C7-EDDD-4277-BF5E-64807CB8DCEF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*61C669C7-EDDD-4277-BF5E-64807CB8DCEF/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8393; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|1|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x001\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8835; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Type Library ActiveX Object Access"; flow:from_server,established; content:"6E22710E-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710E-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4911; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|E|00|F|00|E|00|2|00|4|00|5|00|2|00|-|00|1|00|6|00|8|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|C|00|7|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|9|00|4|00|5|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00E\x00F\x00E\x002\x004\x005\x002\x00-\x001\x006\x008\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x00C\x007\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x009\x004\x005\x003\x00B\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8030; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|0|00|0|00|7|00|2|00|5|00|B|00|-|00|C|00|4|00|5|00|5|00|-|00|4|00|D|00|E|00|6|00|-|00|B|00|F|00|B|00|6|00|-|00|A|00|D|00|5|00|4|00|0|00|A|00|D|00|4|00|2|00|7|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x000\x000\x007\x002\x005\x00B\x00-\x00C\x004\x005\x005\x00-\x004\x00D\x00E\x006\x00-\x00B\x00F\x00B\x006\x00-\x00A\x00D\x005\x004\x000\x00A\x00D\x004\x002\x007\x00C\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7881; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|D|00|A|00|8|00|9|00|A|00|-|00|0|00|9|00|6|00|6|00|-|00|4|00|B|00|9|00|1|00|-|00|9|00|C|00|1|00|8|00|-|00|A|00|B|00|6|00|9|00|F|00|0|00|9|00|8|00|1|00|8|00|7|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00E\x00D\x00A\x008\x009\x00A\x00-\x000\x009\x006\x006\x00-\x004\x00B\x009\x001\x00-\x009\x00C\x001\x008\x00-\x00A\x00B\x006\x009\x00F\x000\x009\x008\x001\x008\x007\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7467; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Collection Definition ActiveX Object Access"; flow:from_server,established; content:"6E22710A-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710A-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4907; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8841; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Shortcut Handler ActiveX Object Access"; flow:from_server,established; content:"00021401-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00021401-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4915; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Rendezvous Class ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|1|00|0|00|2|00|9|00|E|00|5|00|B|00|-|00|C|00|B|00|5|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|5|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|1|00|A|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x001\x000\x002\x009\x00E\x005\x00B\x00-\x00C\x00B\x005\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x005\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x009\x001\x00A\x00C\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7975; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID access"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7444; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|2|00|C|00|A|00|3|00|B|00|C|00|F|00|-|00|3|00|B|00|9|00|B|00|-|00|4|00|1|00|9|00|E|00|-|00|A|00|3|00|D|00|6|00|-|00|5|00|D|00|2|00|8|00|C|00|0|00|B|00|0|00|B|00|5|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x002\x00C\x00A\x003\x00B\x00C\x00F\x00-\x003\x00B\x009\x00B\x00-\x004\x001\x009\x00E\x00-\x00A\x003\x00D\x006\x00-\x005\x00D\x002\x008\x00C\x000\x00B\x000\x00B\x005\x000\x00C\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8004; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|D|00|C|00|8|00|D|00|D|00|9|00|-|00|2|00|C|00|C|00|1|00|-|00|4|00|0|00|8|00|1|00|-|00|9|00|B|00|2|00|B|00|-|00|2|00|0|00|D|00|7|00|0|00|3|00|0|00|2|00|3|00|4|00|E|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00D\x00C\x008\x00D\x00D\x009\x00-\x002\x00C\x00C\x001\x00-\x004\x000\x008\x001\x00-\x009\x00B\x002\x00B\x00-\x002\x000\x00D\x007\x000\x003\x000\x002\x003\x004\x00E\x00F\x00/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-021.mspx; classtype:attempted-user; sid:6680; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8811; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DXTFilter ActiveX CLSID access"; flow:established,to_client; content:"385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7926; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4164; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID access"; flow:established,to_client; content:"A8ABE123-FAC4-41C1-ABA3-051B6F112B83"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8ABE123-FAC4-41C1-ABA3-051B6F112B83/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7884; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID access"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7472; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|7|00|2|00|3|00|E|00|0|00|9|00|-|00|F|00|4|00|C|00|2|00|-|00|4|00|3|00|c|00|8|00|-|00|8|00|3|00|5|00|8|00|-|00|0|00|9|00|F|00|C|00|D|00|1|00|D|00|B|00|0|00|7|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x007\x002\x003\x00E\x000\x009\x00-\x00F\x004\x00C\x002\x00-\x004\x003\x00c\x008\x00-\x008\x003\x005\x008\x00-\x000\x009\x00F\x00C\x00D\x001\x00D\x00B\x000\x007\x006\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8374; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ICM Class Manager ActiveX CLSID access"; flow:established,to_client; content:"33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A760-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8017; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|5|00|B|00|0|00|F|00|9|00|1|00|C|00|-|00|D|00|2|00|3|00|D|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|8|00|5|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x005\x00B\x000\x00F\x009\x001\x00C\x00-\x00D\x002\x003\x00D\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x008\x005\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8742; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSTypeLib ActiveX Object Access"; flow:from_server,established; content:"00020423-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020423-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4896; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|6|00|0|00|4|00|E|00|F|00|E|00|-|00|8|00|8|00|9|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|4|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|1|00|2|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x006\x000\x004\x00E\x00F\x00E\x00-\x008\x008\x009\x007\x00-\x001\x001\x00D\x001\x00-\x00B\x009\x004\x004\x00-\x000\x000\x00A\x000\x00C\x009\x000\x003\x001\x002\x00E\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7949; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Import Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|D|00|4|00|C|00|9|00|F|00|E|00|F|00|-|00|E|00|D|00|8|00|0|00|-|00|4|00|7|00|E|00|A|00|-|00|A|00|3|00|F|00|A|00|-|00|3|00|2|00|1|00|5|00|F|00|D|00|B|00|B|00|3|00|3|00|A|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00D\x004\x00C\x009\x00F\x00E\x00F\x00-\x00E\x00D\x008\x000\x00-\x004\x007\x00E\x00A\x00-\x00A\x003\x00F\x00A\x00-\x003\x002\x001\x005\x00F\x00D\x00B\x00B\x003\x003\x00A\x00B\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7477; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID access"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7486; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|1|00|7|00|9|00|5|00|3|00|3|00|-|00|D|00|8|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x001\x007\x009\x005\x003\x003\x00-\x00D\x008\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8757; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Popup Window ActiveX Object Access"; flow:from_server,established; content:"3050F667-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F667-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4215; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID access"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7890; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|A|00|6|00|B|00|A|00|E|00|2|00|-|00|A|00|A|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|1|00|5|00|2|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|D|00|B|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x00A\x006\x00B\x00A\x00E\x002\x00-\x00A\x00A\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x001\x005\x002\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x00D\x00B\x009\x006\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8760; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID access"; flow:established,to_client; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D0C07D56-7C69-43F1-B4A0-25F5A11FAB19/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8367; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|5|00|B|00|C|00|B|00|E|00|E|00|4|00|-|00|7|00|7|00|2|00|8|00|-|00|4|00|1|00|A|00|0|00|-|00|9|00|7|00|B|00|E|00|-|00|1|00|4|00|E|00|1|00|C|00|A|00|E|00|3|00|6|00|A|00|A|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x005\x00B\x00C\x00B\x00E\x00E\x004\x00-\x007\x007\x002\x008\x00-\x004\x001\x00A\x000\x00-\x009\x007\x00B\x00E\x00-\x001\x004\x00E\x001\x00C\x00A\x00E\x003\x006\x00A\x00A\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8398; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID access"; flow:established,to_client; content:"AF868304-AB0B-11D0-876A-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF868304-AB0B-11D0-876A-00C04FC29D46/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8774; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|9|00|2|00|3|00|B|00|8|00|6|00|-|00|1|00|5|00|F|00|1|00|-|00|4|00|6|00|F|00|F|00|-|00|A|00|1|00|9|00|A|00|-|00|D|00|E|00|8|00|2|00|5|00|F|00|9|00|1|00|9|00|5|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x009\x002\x003\x00B\x008\x006\x00-\x001\x005\x00F\x001\x00-\x004\x006\x00F\x00F\x00-\x00A\x001\x009\x00A\x00-\x00D\x00E\x008\x002\x005\x00F\x009\x001\x009\x005\x007\x006\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7990; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DDS Library Shape Control ActiveX Object Access"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4211; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|8|00|B|00|F|00|D|00|4|00|9|00|4|00|-|00|F|00|6|00|A|00|D|00|-|00|4|00|7|00|9|00|4|00|-|00|9|00|0|00|3|00|8|00|-|00|8|00|3|00|2|00|C|00|0|00|6|00|5|00|4|00|C|00|C|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x008\x00B\x00F\x00D\x004\x009\x004\x00-\x00F\x006\x00A\x00D\x00-\x004\x007\x009\x004\x00-\x009\x000\x003\x008\x00-\x008\x003\x002\x00C\x000\x006\x005\x004\x00C\x00C\x004\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7901; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Share Point Portal Services Log Sink ActiveX Object Access"; flow:from_server,established; content:"DE4735F3-7532-4895-93DC-9A10C4257173"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DE4735F3-7532-4895-93DC-9A10C4257173/si"; metadata:policy security-ips drop; reference:bugtraq,12646; reference:bugtraq,14515; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB837253; classtype:attempted-user; sid:4146; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID access"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7431; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS Straight Line Routing Logic 2 ActiveX Object Access"; flow:from_server,established; content:"B0406343-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406343-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6005; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID access"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7488; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|9|00|F|00|7|00|2|00|5|00|F|00|-|00|1|00|B|00|2|00|D|00|-|00|4|00|8|00|3|00|1|00|-|00|A|00|9|00|F|00|D|00|-|00|8|00|7|00|4|00|8|00|4|00|7|00|6|00|8|00|2|00|0|00|1|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x009\x00F\x007\x002\x005\x00F\x00-\x001\x00B\x002\x00D\x00-\x004\x008\x003\x001\x00-\x00A\x009\x00F\x00D\x00-\x008\x007\x004\x008\x004\x007\x006\x008\x002\x000\x001\x000\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8366; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID access"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7500; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX CLSID_CComAcctImport ActiveX Object Access"; flow:from_server,established; content:"1AA06BA1-0E88-11D1-8391-00C04FBD7C09"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1AA06BA1-0E88-11D1-8391-00C04FBD7C09/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4216; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Virtual Source ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|4|00|C|00|6|00|5|00|C|00|7|00|-|00|F|00|D|00|F|00|1|00|-|00|4|00|5|00|3|00|D|00|-|00|8|00|9|00|A|00|5|00|-|00|B|00|C|00|C|00|2|00|8|00|F|00|5|00|D|00|6|00|9|00|F|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x004\x00C\x006\x005\x00C\x007\x00-\x00F\x00D\x00F\x001\x00-\x004\x005\x003\x00D\x00-\x008\x009\x00A\x005\x00-\x00B\x00C\x00C\x002\x008\x00F\x005\x00D\x006\x009\x00F\x009\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7495; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Search Assistant UI ActiveX Object Access"; flow:from_server,established; content:"47C6C527-6204-4F91-849D-66E234DEE015"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47C6C527-6204-4F91-849D-66E234DEE015/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4230; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook Data Object ActiveX CLSID access"; flow:established,to_client; content:"0006F033-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F033-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8721; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID access"; flow:established,to_client; content:"01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01E04581-4EEE-11D0-BFE9-00AA005B4383/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8019; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID access"; flow:established,to_client; content:"466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*466D66FA-9616-11D2-9342-0000F875AE17/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8031; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID access"; flow:established,to_client; content:"3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F391-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8025; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|7|00|8|00|D|00|5|00|5|00|4|00|-|00|4|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|7|00|0|00|D|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|9|00|1|00|6|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x007\x008\x00D\x005\x005\x004\x00-\x004\x00C\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x009\x007\x000\x00D\x00-\x000\x000\x00A\x000\x00C\x009\x001\x009\x001\x006\x000\x001\x00/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8006; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX VMR ImageSync 9 ActiveX Object Access"; flow:from_server,established; content:"E4979309-7A32-495E-8A92-7B014AAD4961"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E4979309-7A32-495E-8A92-7B014AAD4961/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4903; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|C|00|B|00|1|00|6|00|2|00|3|00|E|00|-|00|B|00|B|00|E|00|C|00|-|00|4|00|E|00|8|00|D|00|-|00|B|00|2|00|D|00|F|00|-|00|D|00|C|00|0|00|8|00|C|00|6|00|F|00|4|00|6|00|2|00|7|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00C\x00B\x001\x006\x002\x003\x00E\x00-\x00B\x00B\x00E\x00C\x00-\x004\x00E\x008\x00D\x00-\x00B\x002\x00D\x00F\x00-\x00D\x00C\x000\x008\x00C\x006\x00F\x004\x006\x002\x007\x00C\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7461; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8805; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|8|00|F|00|2|00|0|00|9|00|F|00|8|00|-|00|4|00|8|00|0|00|E|00|-|00|4|00|5|00|4|00|C|00|-|00|9|00|4|00|A|00|4|00|-|00|5|00|3|00|9|00|2|00|D|00|8|00|8|00|E|00|B|00|A|00|0|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x008\x00F\x002\x000\x009\x00F\x008\x00-\x004\x008\x000\x00E\x00-\x004\x005\x004\x00C\x00-\x009\x004\x00A\x004\x00-\x005\x003\x009\x002\x00D\x008\x008\x00E\x00B\x00A\x000\x00F\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7465; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID access"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7460; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|2|00|C|00|3|00|F|00|A|00|A|00|E|00|-|00|C|00|8|00|A|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|C|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|D|00|5|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x002\x00C\x003\x00F\x00A\x00A\x00E\x00-\x00C\x008\x00A\x00C\x00-\x001\x001\x00D\x000\x00-\x00B\x00C\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00D\x005\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7921; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Workspace ActiveX Object Access"; flow:from_server,established; content:"B1D4ED44-EE64-11D0-97E6-00C04FC30B4A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1D4ED44-EE64-11D0-97E6-00C04FC30B4A/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4913; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Symantec RuFSI registry Information Class ActiveX Object Access"; flow:from_server,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; metadata:policy security-ips drop; reference:bugtraq,8008; reference:cve,2003-0470; reference:url,www.microsoft.com/technet/security/bulletin/MS03-048.mspx; classtype:attempted-user; sid:4174; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Thumbnail Image ActiveX Object Access"; flow:from_server,established; content:"E1A6B8A0-3603-101C-AC6E-040224009C02"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E1A6B8A0-3603-101C-AC6E-040224009C02/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4190; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID access"; flow:established,to_client; content:"5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5D08B586-343A-11D0-AD46-00C04FD8FDFF/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8027; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX clsid access"; flow:established,to_client; content:"5b7524c8-2446-40e9-9474-94a779dba224"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14764; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8784; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Office 2000/2002 Web Components PivotTable ActiveX Object Access"; flow:from_server,established; content:"0002E520-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E520-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,www.microsoft.com/technet/security/bulletin/MS02-044.mspx; classtype:attempted-user; sid:4175; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WDM Instance Provider ActiveX CLSID access"; flow:established,to_client; content:"D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2D588B5-D081-11D0-99E0-00C04FC2F8EC/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:8051; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BD0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8795; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX MSN Chat v4.5, 4.6 ActiveX Object Access"; flow:from_server,established; content:"9088E688-063A-4806-A3DB-6522712FC061"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9088E688-063A-4806-A3DB-6522712FC061/si"; metadata:policy security-ips drop; reference:bugtraq,4707; reference:cve,2002-0155; reference:url,www.microsoft.com/technet/security/bulletin/MS02-022.mspx; classtype:attempted-user; sid:4182; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX PSEnumVariant ActiveX Object Access"; flow:from_server,established; content:"00020421-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020421-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4894; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID access"; flow:established,to_client; content:"9F62797E-1249-4596-9FF7-AC6D851A542A"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F62797E-1249-4596-9FF7-AC6D851A542A/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7886; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID access"; flow:established,to_client; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F935DC22-1CF0-11D0-ADB9-00C04FD58A0B/si"; metadata:policy security-ips drop; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,www.microsoft.com/technet/security/bulletin/MS00-049.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS00-075.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS03-032.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS99-032.mspx; classtype:attempted-user; sid:8066; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Layout ActiveX Object Access"; flow:from_server,established; content:"4CECCEB1-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB1-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/MS06-013.mspx; classtype:attempted-user; sid:6007; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BE2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8831; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Repository Object ActiveX Object Access"; flow:from_server,established; content:"6E2270FB-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E2270FB-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/MS05-054.mspx; classtype:attempted-user; sid:4905; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Stetch ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|4|00|4|00|B|00|B|00|2|00|D|00|0|00|-|00|F|00|0|00|7|00|0|00|-|00|4|00|6|00|3|00|E|00|-|00|9|00|4|00|3|00|3|00|-|00|B|00|0|00|C|00|C|00|F|00|3|00|C|00|F|00|D|00|6|00|2|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x004\x004\x00B\x00B\x002\x00D\x000\x00-\x00F\x000\x007\x000\x00-\x004\x006\x003\x00E\x00-\x009\x004\x003\x003\x00-\x00B\x000\x00C\x00C\x00F\x003\x00C\x00F\x00D\x006\x002\x007\x00/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7451; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|8|00|3|00|8|00|0|00|7|00|B|00|5|00|-|00|2|00|C|00|6|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|1|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x008\x003\x008\x000\x007\x00B\x005\x00-\x002\x00C\x006\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x001\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8766; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID access"; flow:established,to_client; content:"FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FBEB8A05-BEEE-4442-804E-409D6C4515E9/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/ms05-038.mspx; classtype:attempted-user; sid:7976; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID access"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; metadata:policy security-ips drop; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bulletin/MS06-042.mspx; classtype:attempted-user; sid:7482; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BF2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8813; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Visual Database Tools Database Designer v7.0 ActiveX Object Access"; flow:from_server,established; content:"03CB9467-FD9D-42A8-82F9-8615B4223E6E"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03CB9467-FD9D-42A8-82F9-8615B4223E6E/si"; metadata:policy security-ips drop; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/bulletin/MS05-052.mspx; classtype:attempted-user; sid:4205; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"72770C4F-967D-4517-982B-92D6B9015649"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72770C4F-967D-4517-982B-92D6B9015649/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4162; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Outlook.Application ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|A|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x00A\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8372; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|6|00|0|00|C|00|4|00|B|00|8|00|3|00|-|00|E|00|2|00|1|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|F|00|3|00|E|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|B|00|E|00|8|00|4|00|A|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x006\x000\x00C\x004\x00B\x008\x003\x00-\x00E\x002\x001\x001\x00-\x001\x001\x00D\x002\x00-\x00B\x00F\x003\x00E\x00-\x000\x000\x008\x000\x005\x00F\x00B\x00E\x008\x004\x00A\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8402; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID access"; flow:established,to_client; content:"E0CB08CE-AB3D-4779-9C77-62A439BFE6C3"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0CB08CE-AB3D-4779-9C77-62A439BFE6C3/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7896; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID access"; flow:established,to_client; content:"C46C1BC8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,www.microsoft.com/technet/security/bulletin/MS06-067.mspx; classtype:attempted-user; sid:8792; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX DigWebX MSN ActiveX Object Access"; flow:from_server,established; content:"05E6787D-82D9-4D24-91DD-97FE8D199501"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05E6787D-82D9-4D24-91DD-97FE8D199501/si"; metadata:policy security-ips drop; reference:bugtraq,13946; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:4197; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Kodak Image Scan Control ActiveX Object Access"; flow:from_server,established; content:"84926CA0-2941-101C-816F-0E6013114B7F"; fast_pattern:only; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*84926CA0-2941-101C-816F-0E6013114B7F/si"; metadata:policy security-ips drop; reference:url,www.microsoft.com/technet/security/bulletin/MS99-037.mspx; classtype:attempted-user; sid:4180; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access"; flow:established,to_client; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-0015; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-032.mspx; reference:url,www.microsoft.com/technet/security/advisory/972890.mspx; classtype:attempted-user; sid:15672; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"String.fromCharCode|28|"; fast_pattern; nocase; pcre:"/new\s*ActiveXObject\(\s*String.fromCharCode\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16574; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape"; flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/new\s*ActiveXObject\(\s*unescape\(/smi"; metadata:policy security-ips drop; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16573; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:established,to_client; isdataat:1024; content:"ctrl.InstallBrowserHelperDll"; nocase; content:"General_ServerName"; nocase; content:!">"; within:1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 2 ActiveX clsid access"; flow:established,to_client; content:"F849164D-9863-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft MyInfo.dll ActiveX clsid access"; flow:established,to_client; content:"4682C82A-B2FF-11D0-95A8-00A0C92B77A9"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17592; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft creator.dll 1 ActiveX clsid access"; flow:established,to_client; content:"606EF130-9852-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX obfuscated instantiation of ActiveX object - likely malicious"; flow:established,to_client; content:"new ActiveXObject|28|"; nocase; content:"unescape|28|"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft ciodm.dll ActiveX clsid access"; flow:established,to_client; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Microsoft msdxm.ocx ActiveX clsid access"; flow:established,to_client; content:"8E71888A-423F-11D2-876E-00A0C9082467"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX ProgID access"; flow:established,to_client; content:"ComponentManager.Installer"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18491; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX Whale Client Components ActiveX clsid access"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18490; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; content:"cdda|3A 2F 2F|"; nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX clsid access"; flow:established,to_client; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19085; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX function call"; flow:established,to_client; content:"LEADRasterTwain.LEADRasterTwain"; fast_pattern:only; nocase; metadata:policy security-ips drop; reference:bugtraq,42823; classtype:attempted-user; sid:19086; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,www.microsoft.com/technet/security/bulletin/MS05-002.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS07-017.mspx; classtype:attempted-user; sid:3079; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; metadata:policy security-ips drop; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB828750; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q293338; reference:url,www.microsoft.com/technet/security/bulletin/MS02-055.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS05-001.mspx; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT iTunes playlist URL overflow attempt"; flow:from_server,established; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; metadata:policy security-ips drop; reference:bugtraq,12238; reference:cve,2005-0043; classtype:attempted-user; sid:3471; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer SMIL file overflow attempt"; flow:to_client,established; content:""; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256; content:!"|22|"; within:256; metadata:policy security-ips drop, service http; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3536; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE javaprxy.dll COM access"; flow:from_server,established; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; metadata:policy security-ips drop; reference:bugtraq,14087; reference:cve,2005-2087; reference:url,www.microsoft.com/technet/security/bulletin/ms05-037.mspx; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17680; classtype:attempted-user; sid:3814; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT msdds clsid attempt"; flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; reference:bugtraq,14594; reference:cve,2005-1990; reference:cve,2005-2127; reference:url,www.frsirt.com/english/advisories/2005/1450; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4132; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT devenum clsid attempt"; flow:from_server,established; content:"083863F1-70DE-11d0-BD40-00A0C911CE86"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083863F1-70DE-11d0-BD40-00A0C911CE86/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4133; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT blnmgr clsid attempt"; flow:from_server,established; content:"3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/si"; metadata:policy security-ips drop; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx; classtype:attempted-user; sid:4134; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file with comment buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4644; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT malformed windows shortcut file buffer overflow attempt"; flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,www.microsoft.com/technet/security/bulletin/MS05-049.mspx; classtype:attempted-user; sid:4643; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Metasploit Windows picture and fax viewer wmf arbitrary code execution attempt"; flow:from_server,established; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy security-ips drop; reference:bugtraq,16074; reference:cve,2005-4560; reference:url,www.microsoft.com/technet/security/bulletin/ms06-001.mspx; classtype:web-application-attack; sid:5319; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player Plugin for Non-IE browsers buffer overflow attempt"; flow:from_server,established; content:"]+?src\s*=\s*(\x22[^\x22]{1024}|\x27[^\x27]{1024}|[^\s]{1024})/i"; metadata:policy security-ips drop, service http; reference:bugtraq,16644; reference:cve,2006-0005; reference:url,www.microsoft.com/technet/security/bulletin/ms06-006.mspx; classtype:attempted-user; sid:5710; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player zero length bitmap heap overflow attempt"; flow:established,to_client; content:"BM|00 00 00 00|"; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD20060214.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5711; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Metafile invalid header size integer overflow"; flow:from_server,established; content:"|D7 CD C6 9A|"; byte_test:2,<,8,25,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,www.microsoft.com/technet/security/bulletin/ms06-004.mspx; classtype:attempted-admin; sid:5713; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB CLIENT Windows Media Player invalid data offset bitmap heap overflow attempt"; flow:established,to_client; file_data; content:"BM"; within:2; byte_test:4,<,14,8,little,relative; metadata:policy security-ips drop; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,www.eeye.com/html/research/advisories/AD2006021.html; reference:url,www.microsoft.com/technet/security/bulletin/ms06-005.mspx; classtype:attempted-admin; sid:5712; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt"; flow:from_server,established; flowbits:isset,http.hhp.download; content:"["; content:"]"; distance:0; content:"file"; distance:0; nocase; content:"="; distance:0; pcre:"/\x5B(OPTIONS|WINDOWS|MERGE FILES|MAP|ALIAS|TEXT\x20POPUPS|INFOTYPES|SUBSETS)\x5D.*?(Contents|Index|Compiled|Sample List|Full text search stop list)\x20file\s*\x3D[^\r\n]{200}/smi"; metadata:policy security-ips drop; reference:cve,2006-0564; reference:cve,2009-0133; reference:url,users.pandora.be/bratax/advisories/b008.html; reference:url,www.frsirt.com/english/advisories/2006/0446; classtype:attempted-user; sid:5741; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0"; flow:from_server,established; content:"image/"; pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi"; content:"GIF"; distance:0; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6502; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt"; flow:to_client,established; content:"URL"; nocase; content:"mhtml|3A|//"; distance:0; nocase; pcre:"/^\s*URL\s*=\s*mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\r\n]{1253}/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6510; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime udta atom overflow attempt"; flow:to_client,established; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy security-ips drop; reference:bugtraq,17953; reference:cve,2006-1460; classtype:attempted-user; sid:6506; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6503; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy security-ips drop; reference:bugtraq,17074; reference:cve,2006-1249; classtype:attempted-user; sid:6505; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt"; flow:to_client,established; content:"mhtml|3A|//"; nocase; pcre:"/href\s*=\s*(\x22mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x22]{1253}|\x27mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x27]{1253}|mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x09\r\n\x20]{1253})/smi"; metadata:policy security-ips drop; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,www.microsoft.com/technet/security/bulletin/ms06-043.mspx; classtype:attempted-user; sid:6509; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT windows explorer invalid url file overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; within:100; nocase; content:"url="; distance:0; nocase; content:"file|3A|file|3A|file|3A|"; distance:0; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,18838; reference:cve,2006-3351; classtype:denial-of-service; sid:7022; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; byte_test:2,>,8224,0,relative,little; content:"|15 00 12 00|"; within:4; distance:2; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7048; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT excel object ftCmo overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"|5D 00|"; content:"|15 00 12 00|"; within:4; distance:2; byte_test:2,>,0x1E,0,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,www.microsoft.com/technet/security/bulletin/ms06-037.mspx; classtype:attempted-user; sid:7204; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla javascript navigator object access"; flow:to_client,established; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy security-ips drop; reference:bugtraq,19181; reference:cve,2006-3677; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-45.html; classtype:attempted-user; sid:8058; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt"; flow:established,to_client; content:""; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy security-ips drop; reference:bugtraq,14945; reference:cve,2005-2710; classtype:attempted-user; sid:8091; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML fill method overflow attempt"; flow:from_server,established; content:"|3A|fill"; nocase; content:"method"; distance:0; nocase; pcre:"/<\w+\x3afill\s[^>]*method\s*=\s*(\x27[^\x27]{32}|\x22[^\x22]{32}|[^\s>]{32})/smi"; metadata:policy security-ips drop; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,www.microsoft.com/technet/security/bulletin/ms06-055.mspx; classtype:attempted-user; sid:8416; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel colinfo XF record overflow attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"}|00 0C 00 00 00|"; content:!"|00|"; within:1; distance:1; metadata:policy security-ips drop; reference:cve,2006-3875; reference:url,www.microsoft.com/technet/security/bulletin/ms06-059.mspx; classtype:attempted-user; sid:8448; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; content:"|90 08 00|3|B1 E5 CF 11 89 F4 00 A0 C9 03|I|CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9641; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; content:"@R|D1 86 1D|1|D0 11 A3 A4 00 A0 C9 03|H|F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9642; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; content:"|01 CD 87 F4|Q|A9 CF 11 8E E6 00 C0 0C| Se"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-078.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-052.mspx; classtype:attempted-user; sid:9643; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime RTSP URI overflow attempt"; flow:from_server,established; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*([\x27|\x22]rtsp\x3A[^\x22\x27\s]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy security-ips drop; reference:bugtraq,21829; reference:cve,2007-0015; reference:url,applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html; classtype:attempted-user; sid:9823; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime HREF Track Detected"; flow:established,to_client; flowbits:isset,http.quicktime; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T $HOME_NET any (msg:"WEB-CLIENT Firefox query interface suspicious function call access attempt"; flow:established,to_client; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-04.html; classtype:attempted-user; sid:10063; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Photoshop PNG file handling stack buffer overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy security-ips drop; reference:bugtraq,23698; reference:cve,2007-2365; classtype:attempted-user; sid:11267; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow"; flow:to_client,established; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel malformed FBI record"; flow:from_server,established; flowbits:isset,http.xls; content:"`|10|"; byte_test:2,>,32767,6,relative; metadata:policy security-ips drop, service http; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,www.microsoft.com/technet/security/bulletin/ms07-023.mspx; classtype:attempted-user; sid:12256; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt"; flow:to_client,established; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; flowbits:isset,http.xlw; reference:cve,2007-3890; reference:url,www.microsoft.com/technet/security/Bulletin/ms07-044.mspx; classtype:attempted-user; sid:12284; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PCRE character class double free overflow attempt"; flow:to_client,established; content:"RegExp("; nocase; content:"[["; distance:0; content:"]]"; within:6; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25002; reference:cve,2007-3944; reference:url,docs.info.apple.com/article.html?artnum=306174; classtype:attempted-user; sid:12286; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer lyrics heap overflow attempt"; flow:established,to_client; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; reference:bugtraq,26214; reference:cve,2007-5080; classtype:attempted-user; sid:12707; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks SMIL wallclock stack overflow attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12743; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt"; flow:to_client,established; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy security-ips drop, service http; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12744; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:established,to_client; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13159; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:established,to_client; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13160; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_CLIENT Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:established,to_client; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0064; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-068.mspx; classtype:attempted-user; sid:13158; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|des"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13319; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|ART"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13316; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cpy"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13320; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|nam"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; classtype:attempted-user; sid:13317; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 3, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash Player embedded JPG image width overflow attempt"; flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 5, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13301; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Quicktime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset, quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SYmbolic LinK file download"; flow:to_client,established; flowbits:isset,csv.download; content:"ID|3B|P"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2008-0112; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-014.mspx; classtype:misc-activity; sid:13585; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|"; within:6; distance:900; content:"?|13 1F 00 00 00|"; within:6; distance:640; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|8C 15|"; within:2; distance:40; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"|19 13|"; within:2; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt"; flow:to_client,established; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|"; within:6; distance:45; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"?|13 19 00 00 00|"; within:6; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime Obji Atom parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"obji"; nocase; byte_test:4,<,20,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:13920; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start JNLP attribute buffer overflow attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"WEB-CLIENT Adobe Reader and Acrobat util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript/JS"; nocase; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start xml encoding buffer overflow attempt"; flow:established,to_client; content:"]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,28083; reference:cve,2008-1188; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1; classtype:attempted-admin; sid:15081; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST"; flow:to_client,established; flowbits:isset,xspf_file.request; file_data; content:"|3C|identifier|3E|"; pcre:"/\x3cidentifier\x3E[^\x3c]*\x2d\d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ACD Systems ACDSee XPM file format overflow attempt"; flow:to_client,established; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy security-ips drop, service http; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:15236; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Portable Executable binary file transfer"; flow:to_client,established; content:"MZ|90 00|"; byte_jump:4,56,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,exe.download; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:15306; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt"; flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/si"; byte_test:1,&,0x40,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15357; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; metadata:policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt"; flow:established,to_client; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime pict image poly structure memory corruption attempt"; flow:established,to_client; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OLE32 microsoft MSHTA masquerade attempt"; flow:to_client,established; flowbits:isnotset,http.hta; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; metadata:policy security-ips drop; reference:bugtraq,13132; reference:cve,2005-0063; reference:url,www.microsoft.com/technet/security/bulletin/ms05-016.mspx; classtype:attempted-user; sid:3552; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:established,to_client; content:"|01 00 00 00|"; content:" EMF"; within:4; distance:36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|"; within:12; distance:-8; content:"F|00 00 00|"; distance:0; content:"|08|@|00 06|"; within:4; distance:12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nullsoft Winamp pls file player name handling buffer overflow attempt"; flow:to_client,established; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy security-ips drop, service http; reference:bugtraq,16410; reference:cve,2006-0476; classtype:attempted-user; sid:15472; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT asp file upload"; flow:to_server,established; content:".asp"; nocase; flowbits:set,asp.upload; flowbits:noalert; classtype:protocol-command-decode; sid:15471; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple QuickTime Movie File Clipping Region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.quicktime; content:"crgn"; byte_jump:2,-6,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"jP "; content:"|FF|O|FF|Q"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF|R"; within:2; byte_test:1,>,16,7,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1859; classtype:attempted-user; sid:15562; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT F-Secure AntiVirus library heap overflow attempt"; flow:to_client,established; flowbits:isset,arj_file.request; content:"|0A|`|EA|"; pcre:"/\x0a\x0d?\x0a\x60\xea(.{36}[^\x00]{256}|.+\x60\xea.{32}[^\x00]{256})/s"; metadata:policy security-ips drop, service http; reference:bugtraq,12515; reference:cve,2005-0350; classtype:attempted-user; sid:15583; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"obj<<"; content:"/BaseFont"; distance:0; content:"endobj"; distance:0; pcre:"/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\x80-\xff\x2f]*[\x80-\xff].*?endobj/s"; metadata:policy security-ips drop, service http; reference:bugtraq,32100; reference:cve,2008-4813; reference:url,vallejo.cc/proyectos/adobereader812.html; classtype:attempted-user; sid:15867; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libxml2 XML file processing long entity name buffer overflow attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,4xm.request; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sophos Anti-Virus zip file handling DoS attempt"; flow:to_client,established; content:"PK|03 04|"; content:"|0C 00|"; within:2; distance:4; content:"-|00 00 00 F9 00 00 00 05 00 FF FF|"; within:12; distance:8; metadata:policy security-ips drop, service http; reference:bugtraq,14270; reference:cve,2005-1530; classtype:attempted-dos; sid:15957; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy security-ips drop, service http; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer nested object tag memory corruption attempt"; flow:to_client,established; content:"|0A| $HOME_NET any (msg:"WEB-CLIENT GNU tar PAX extended headers handling overflow attempt"; flow:to_client,established; content:"GNU.sparse.numblocks="; nocase; pcre:"/GNU\x2esparse\x2enumblocks\s*\x3d\s*(0|[6-9]\d{4})/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:16053; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:16050; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox CSS Letter-Spacing overflow attempt"; flow:to_client,established; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-1730; classtype:attempted-user; sid:16044; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields"; flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16295; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields"; flow:to_client,established; content:"|0D 0A 0D 0A|MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,&,0x0004,26,relative,little; byte_jump:2,32,relative,little; pcre:"/^.{2}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16296; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,http.dir; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|"; within:4; distance:-24; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,www.microsoft.com/technet/security/bulletin/MS09-072.mspx; classtype:attempted-user; sid:16311; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; content:"OggS"; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36465; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v3 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,http.oless.v3; flowbits:noalert; classtype:misc-activity; sid:16474; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Compound File Binary v4 file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,http.oless.v4; flowbits:noalert; classtype:misc-activity; sid:16475; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; content:"wOFF|00 01 00 00|"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"4|3A|name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"7|3A|comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,http.torrent; content:"8|3A|announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt"; flow:to_client,established; content:"application/x-java-applet"; nocase; content:"-XXaltjvm"; fast_pattern:only; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16585; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; content:""; nocase; content:""; distance:0; nocase; content:" $HOME_NET any (msg:"WEB-CLIENT Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; fast_pattern:only; nocase; content:"-XXaltjvm"; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Amaya web editor XML and HTML Parser Buffer overflow attempt"; flow:to_client,established; content:"]{500})/isR"; metadata:service http; reference:bugtraq,33047; reference:cve,2009-0323; classtype:attempted-user; sid:16601; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40725; reference:cve,2010-1885; reference:url,osvdb.org/show/osvdb/65264; reference:url,www.microsoft.com/technet/security/bulletin/MS10-042.mspx; classtype:attempted-user; sid:16665; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Astonsoft Deepburner dbr file name buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|DeepBurner_record"; nocase; content:"|3C|data_cd"; distance:0; nocase; content:"|3C|file"; distance:0; nocase; pcre:"/^\s*[^\x3E]*path\s*=\s*(\x22[^\x22]{272}|\x27[^\x27]{272}|[^\s\x3E]{272})/iR"; metadata:policy security-ips drop, service http; reference:bugtraq,21657; reference:cve,2006-6665; reference:url,osvdb.org/show/osvdb/32356; classtype:attempted-user; sid:16696; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration"; flow:to_client, established; content:"FlateDecode"; content:"DecodeParms"; pcre:"/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16677; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Sun Java Web Start Splashscreen PNG processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; within:16; pcre:"/^([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/Rs"; metadata:policy security-ips drop; reference:bugtraq,34240; reference:cve,2009-1097; classtype:attempted-user; sid:16716; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]"; within:9; content:"INDEX 1="; distance:0; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF"; within:4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; content:"OrbitalFileV1.0|0D 0A|"; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; within:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|"; distance:0; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT UltraISO CUE file handling stack buffer overflow attempt"; flow:to_client,established; file_data; content:"FILE |22|"; within:6; isdataat:512,relative; content:!"|22|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24140; reference:cve,2007-2888; classtype:attempted-user; sid:16734; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|"; within:12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version"; within:41; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; within:12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset, http.m3u.download; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,xspf_file.request; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt"; flow:to_client,established; flowbits:isset,http.m3u.download; file_data; content:"http|3A 2F 2F|"; within:7; pcre:"/^[^\s]{256}/R"; metadata:service http; reference:cve,2009-2650; reference:url,osvdb.org/show/osvdb/55924; classtype:attempted-user; sid:16739; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT DX Studio Player plug-in command injection attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"WEB-CLIENT Microsoft LNK shortcut download attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-2568; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms10-046.mspx; classtype:attempted-user; sid:17042; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml"; nocase; content:"|3C|outline"; distance:0; nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,http.mp4; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,http.mp3; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,http.avi; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt"; flow:to_client,established; flowbits:isset,http.jpeg; content:"|FF C4 02 11 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:service http; reference:bugtraq,12905; reference:cve,2005-0903; classtype:attempted-user; sid:10126; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt"; flow:established, from_server; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,13645; reference:cve,2005-1532; reference:url,secunia.com/advisories/15528/; classtype:attempted-user; sid:17212; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:established, to_client; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy security-ips drop, service http; reference:cve,2005-2706; reference:url,secunia.com/advisories/16911/; classtype:attempted-user; sid:17213; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Sheet1"; content:"|8C 00 04 00 56 00 56 00 C1 01 08 00 C1 01 00 00 80 38 01 00|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - little-endian"; flow:to_client,established; file_data; content:"II|2A 00|"; within:4; flowbits:set,http.tiff.little; flowbits:noalert; classtype:misc-activity; sid:17229; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_client,established; flowbits:isset,http.tiff.big; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:service http; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-105.mspx; classtype:attempted-user; sid:17232; rev:5;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-CLIENT Tiff file download - big-endian"; flow:to_client,established; file_data; content:"MM|00 2A|"; within:4; flowbits:set,http.tiff.big; flowbits:noalert; classtype:misc-activity; sid:17230; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_client,established; flowbits:isset,http.tiff.little; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:service http; reference:cve,2007-2217; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:17231; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt"; flow:established, to_client; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/]*?height[^>]*?>/smi"; pcre:"/]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy security-ips drop, service http; reference:cve,2009-3070; reference:url,secunia.com/advisories/36671/; classtype:attempted-user; sid:17236; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox image dragging exploit attempt"; flow:to_client,established; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*\x2ebat/i"; metadata:policy security-ips drop, service http; reference:cve,2005-0230; classtype:attempted-user; sid:17245; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy security-ips drop, service http; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint malformed data record code execution attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|F2 03|"; content:"|AA AA AA 2F 00 C8 0F 0C 00 00 00 30 00 D2 0F 04 00|"; within:17; distance:1; metadata:policy security-ips drop, service http; reference:bugtraq,20322; reference:cve,2006-3876; classtype:attempted-user; sid:17292; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox plugin access control bypass attempt"; flow:to_client,established; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy security-ips drop, service http; reference:bugtraq,12655; reference:cve,2005-0527; classtype:attempted-user; sid:17265; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|"; distance:0; content:"delete|20|tree"; distance:0; content:"delete|20|selection"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,http.avi; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy security-ips drop, service http; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Office malformed routing slip code execution attempt"; flow:to_client,established; flowbits:isset,http.xls; content:"Routing|3A 20|"; content:"|B9 00 9B 05 56 04 3F 05 00 00 41 41 41 41|"; distance:0; metadata:policy security-ips drop, service http; reference:bugtraq,17000; reference:cve,2006-0009; classtype:attempted-user; sid:17284; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Windows Web View script injection attempt"; flow:to_client,established; flowbits:isset,http.doc; content:"|1E 00 00 00|"; fast_pattern; content:"javascript"; distance:0; nocase; pcre:"/\x1e\x00\x00\x00.{4}[^\x00]*?\x40[^\x00]*?javascript/i"; metadata:policy security-ips drop, service http; reference:bugtraq,13248; reference:cve,2005-1191; classtype:attempted-user; sid:17271; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Powerpoint PPT file parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,http.ppt; content:"|A4 37 7A 00 81 00 00 00 00 00 82 00 00 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:bugtraq,18993; reference:cve,2006-3656; classtype:attempted-user; sid:17285; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft IE malformed iframe buffer overflow attempt"; flow:to_client,established; content:"