#
# $Id: bleeding-exploit.rules $
# Bleeding Snort exploit rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2006, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Buffer Overflow Exploit in Adobe Acrobat Reader"; flow: established; content:"URI/URI"; nocase; pcre:"/URI/URI\(mailto\:[^"]*"[^"]*"x[\d]{3}/i"; reference:url,www.securiteam.com/securitynews/5WP080AAKK.html; classtype:shellcode-detect; sid: 2001049; rev:6; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; classtype:attempted-admin; sid:2001217; rev:7; )

#From Bdoctor
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Arkeia full remote access without password or authentication"; flow: from_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; classtype: attempted-admin; sid: 2001742; rev:5; )

# Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:11; )

#Matt Jonkman and Frank Knobbe
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001667; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (to blahot.com)"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001671; rev:7; )

#by Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg: "BLEEDING-EDGE WEB MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; classtype:web-application-attack; sid:2002791; rev:1; ) 

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command"; flow: to_server,established; uricontent:"/exec/show/config"; nocase; reference:url,www.securityfocus.com/archive/1/141471; classtype: attempted-admin; sid: 2000008; rev:7; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET 22 (msg: "BLEEDING-EDGE EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype: attempted-dos; sid: 2000007; rev:4; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP server DoS"; flow: to_server,established; uricontent:"/TEST?/"; classtype: attempted-dos; sid: 2000013; rev:6; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP DoS"; flow: to_server,established; uricontent:"/error?/"; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype: attempted-dos; sid: 2000009; rev:7; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000005; rev:4; )

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco %u IDS evasion"; flow: to_server,established; uricontent:"%u002F"; classtype: attempted-dos; sid: 2000012; rev:6; )

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000048; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000031; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000049; rev:3; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,CVE-2004-14562; classtype:web-application-attack; sid:2002697; rev:1;)

#By Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002315; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|";  distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002316; rev:3;)

# Submitted by Evgeny Pinchuk, optimized by Joel Esler
alert tcp any any -> any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP)"; flow: to_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001915; rev:4; )
alert tcp any 5060 -> any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP)"; flow: from_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001916; rev:4; )
alert udp any any -> any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001917; rev:4; )
alert udp any 5060 -> any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001918; rev:4; )

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; uricontent:"_SERVER[REMOTE_ADDR]="; nocase; reference:bugtraq,15609; classtype: web-application-attack; sid:2002703; rev:2; )

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; flowbits:set,ftp.user.login; flowbits:noalert; classtype:not-suspicious; sid:2002850; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP HP-UX LIST command without login"; flow:established,to_server; content:"LIST "; nocase; flowbits:isnotset,ftp.user.login; reference:cve,2005-3296; reference:bugtraq,15138; classtype:attempted-recon; sid:2002851; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"BLEEDING-EDGE EXPLOIT HP-UX Printer LPD Command Insertion"; content:"|02|msf28|30|"; within:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-user; sid:2002852; rev:1; )


#This set is a consolidation of all IE exploits. Too many to keep separate...
#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of arbitrary code"; flow: from_server,established; content:"<script"; content:"ActiveXObject"; content:"NameSpace"; content:"ParseName"; content:"GetLink"; content:"Path"; content:"Arguments"; content:"Save"; content:"Open"; content:"</script"; reference:url,www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0; classtype: misc-activity; sid: 2001093; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer URL parsing vulnerability"; flow: from_server,established; content:"location.href"; nocase; pcre:"/location\.href[\s]*=[\s]*unescape[\s]*\([\s]*['"]%01@['"]/iU"; reference:url,www.securityfocus.com/archive/1/346948; classtype: misc-activity; sid: 2001094; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Object Data Remote Execution Vulnerability"; flow: from_server,established; content:"<object"; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; reference:url,www.securityfocus.com/bid/8456/solution/; classtype: misc-activity; sid: 2001097; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype: misc-attack; sid: 2001099; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype: misc-attack; sid: 2001101; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; sid: 2001102; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to access SHELL\:"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; classtype: misc-attack; sid: 2001103; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001105; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001106; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; classtype: misc-activity; sid: 2001048; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; classtype: misc-attack; sid: 2001181; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; classtype: misc-attack; sid: 2001182; rev:5; )

#Submitted by Matt Jonkman
alert tcp any $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; flow: from_server,established; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; classtype: misc-attack; sid: 2001401; rev:13; )

#Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IFRAME ExecCommand vulnerability"; flow: from_server,established; content:"<IFRAME"; nocase; pcre:"/SRC[\s]*=[\s]*["']*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:5; )

#Submitted by Chris Keladis
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference:url,www.guninski.com/popspoof.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; classtype: trojan-activity; sid: 2001813; rev:6; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype: bad-unknown; sid: 2001022; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: bad-unknown; sid: 2001023; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: bad-unknown; sid: 2001024; rev:3; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/jammail.pl?"; nocase; pcre:"/(mail=\|.+\|)/"; reference:bugtraq,13937; classtype: web-application-attack; sid: 2001990; rev:3; )

# Submitted by Joel Ebrahimi
alert tcp $EXTERNAL_NET ANY -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Kali Tagboard Command Execution Attempt"; flow: to_server,established; uricontent:"/banned.php"; uricontent:"cmd="; classtype: web-application-attack; sid: 2001883; rev:2; )

#Submitted by Joseph Gama
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001190; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Width exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001191; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001192; rev:5; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; content:"sPLT"; isdataat: 80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001195; rev:5; )

#Submitted by Joe Stewart
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; classtype:attempted-admin; sid: 2001058; rev:6; )

#
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; sid: 2000046; rev:5; )

#
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; classtype: misc-activity; sid: 2000033; rev:5; )

#By Mark Tombaugh
alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; classtype:successful-recon-limited; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; sid:2002389; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BLEEDING-EDGE EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; classtype:misc-attack; reference:bugtraq,11775; sid:2002390; rev:2; )

#Joel Esler
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Meteor FTP Server Exploit"; flow:established,to_server; content:"USER"; nocase; offset: 14; pcre:"/USER.{81,}/i"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5RP0Q2KFPC.html; sid: 2001954; rev:4; )

#
alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt"; flow: from_server,established; content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380; reference:url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx; classtype: web-application-attack; sid: 2000004; rev:5; )

# From Syke@mantissecurity.net
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow"; flow: to_client, established; content:"DCC SEND "; nocase; isdataat: 100, relative; reference:bugtraq,8880; classtype: attempted-dos; sid: 2000329; rev:6; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Firefox Certificate Spoofing"; flow: from_server,established; content:"http-equiv"; nocase; pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i"; reference:url,www.securiteam.com/securitynews/5EP0L1PDFG.html; classtype: misc-activity; sid: 2001206; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Cookie theft"; flow: from_server,established; content:"http|3a|//"; nocase; pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i"; reference:url,www.securiteam.com/securitynews/5GP0T0U60M.html; classtype: misc-activity; sid: 2001207; rev:6; )
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Reading Local Files in Netscape 6 and Mozilla"; flow: from_server,established; content:"XMLHttpRequest"; nocase; pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i"; reference:url,www.securiteam.com/securitynews/5JP000A76K.html; classtype: misc-activity; sid: 2001208; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla FTP View Cross-Site Scripting Vulnerability"; flow: from_server,established; content:"ftp\://"; nocase; content:"<TITLE"; content:"<SCRIPT"; content:"</TITLE"; reference:url,www.securiteam.com/windowsntfocus/5MP0I0080A.html; classtype: misc-activity; sid: 2001209; rev:5; )

#Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative;classtype: attempted-admin; sid: 2001807; rev:5; )

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (img)"; flow:established,from_server; content:"<img "; nocase; pcre:"/<img[^\>]*[ a-z]src[^>=]*=(?>\s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002127; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (input)"; flow:established,from_server; content:"<input "; nocase; pcre:"/<input[^\>]*[ a-z]src[^>=]*=(?>\s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002128; rev:2;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Firefox Domain Name Buffer Overflow"; flow:established,from_server; content:"http"; pcre:"/(\xad|%ad|&shy\;?){16,}/Ri"; reference:cve,2005-2871; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=307259; reference:url,www.milw0rm.com/id.php?id=1224; classtype:web-application-attack; sid:2002380; rev:3; )

#Joe Stewart
alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; classtype:attempted-admin; sid: 2001944; rev:3; )

#Submitted by Chris Norton and Woofz
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype: shellcode-detect; sid: 2001369; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001363; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001364; rev:5; )

#From Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little;classtype: misc-activity; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; sid: 2001374; rev:6; )

#By Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little;classtype: misc-attack; sid: 2001668; rev:4; )

#By Shirkdog, tweaks by Dale Handy
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT MS05-005 Office XP .doc Remote Code Attempt"; flow:established,to_server; uricontent:".doc"; pcre:"/\x2edoc\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url,www.frsirt.com/english/advisories/2005/0119; sid:2001727; rev:7;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT MS05-005 Office XP .rtf Remote Code Attempt"; flow:established,to_server; uricontent:".rtf"; pcre:"/\x2ertf\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url,www.frsirt.com/english/advisories/2005/0119; sid:2002799; rev:3;)

#by Chris Ries of Vigilant Minds
alert TCP any 445 -> any any (msg:"BLEEDING-EDGE EXPLOIT ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; sid:2002064; rev:3;)

#Erik Fichtner
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content:"|3C|OBJECT "; nocase; pcre:"/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype: misc-attack; reference:url,www.microsoft.com/technet/security/bulletin/ms05-014.mspx; sid: 2001725; rev:7; )

#Erik Fichtner
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001848; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001849; rev:5; )

alert tcp any any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001873; rev:6; )

# since this could be variable length chunks, we can't tell if we had
# enough data to blow the server up or not, so we have to read the
# chicken bones to see if it looks like exchange sh!t the bed or not.

alert tcp any 25 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001874; rev:5; )
pass tcp $SMTP_SERVERS 25 -> any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; flowbits:isset,msxlsa; flow: from_server,established; content:"200 DONE"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001875; rev:6; )
alert tcp $SMTP_SERVERS 25 -> any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; flowbits:isset,msxlsa; flow: from_server,established; content:"500 DROP"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001876; rev:5; )

# Submitted by Erik Fichtner, July 18, 2005
# MS05-036 has a pile of vectors into the system.  These are just some of them.

# False negative warning:  JPEG ICC can be fragged into multiple chunks.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Profile Size"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002120; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Tag Count"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1024,127,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002121; rev:4;)

# False negative warning:  GIF ICC can be fragged into multiple chunks.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Profile Size"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002122; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Tag Count"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1024,129,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002123; rev:4;)

# iCCP profiles are all compressed with zlib deflate. That's annoying. A preprocessor would do this work better.
# This is disabled by default because it hits on any PNG. It is a good sig, but you must understand more than average to use it
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- PNG with embedded ICC document"; flow:established; content:"|89|PNG|0D 0A 1A 0A|"; content:"iCCP"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002124; rev:1;)

# The following are based on a working exploit
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit -- JPEG ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICC_PROFILE|00|"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002134; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit -- GIF ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICCRGBG1012"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002137; rev:2;)

#By Blake Harstein at Demarc
#These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED; flow:established,from_server; content:"CLSID"; nocase; pcre:"/CLSID\s*\:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/i"; flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious; sid:2002174; rev:3;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002171; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002172; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002173; rev:4;) 

#This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the 
# clsid flowbits set above.
#By Blake Harstein of Demarc
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; classtype:web-application-attack; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; sid:2002308; rev:1;) 

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002491; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002492; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002493; rev:2;) 

# Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
#Replaced by sigs below
#alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002186; rev:1;)

#alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002187; rev:2;)

#alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002188; rev:2;)

#All related to UPnP Exploit, MS05-039
#Thanks to the Alert Logic team
alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002199; rev:1;)

alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002200; rev:1;)

alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002201; rev:1;)

alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002202; rev:1;)

alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002203; rev:1;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit MciWndx ActiveX Control"; flow:from_server,established; content:"CLSID"; nocase; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002724; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/Ri"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002725; rev:1; )

#by Shirkdog, updated 2006-02-21, mscott
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image (MS06-005)"; flow:established,from_server; content:"|424D|"; depth:400; byte_test: 4,=,0,8,relative; reference:url,www.milw0rm.com/id.php?id=1500;reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx;classtype:attempted-user; sid:2002802; rev:4; )

#by Joe Stewart of Lurhq
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT BMP with invalid bfOffBits (possible MS06-005)"; flow:established,to_client;  content:"BM"; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; classtype:attempted-user; sid:2002803; rev:4;)

#Erik Fichtner
log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:1,=,3,10,relative; flowbits:set,icolor_png; classtype: misc-attack; sid: 2001720; rev:5; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content:"PLTE"; byte_test:4,>,768,-8,relative; classtype: misc-attack; sid: 2001721; rev:5; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content:"hIST"; byte_test:4,>,512,-8,relative; classtype: misc-attack; sid: 2001722; rev:5; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,256,17,relative;content:"tRNS"; distance: 4; classtype: misc-attack; sid: 2001723; rev:4; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,0,relative;classtype: misc-attack; sid: 2001718; rev:4; )
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,4,relative;classtype: misc-attack; sid: 2001719; rev:4; )
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng CAN-2004-1244 overflow attempt"; flow: to_client,established; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:1,=,3,10,relative;content:"tRNS"; byte_test:4,>,256,-8,relative;pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; reference:bugtraq,10872; classtype: attempted-admin; sid: 2001724; rev:4; )

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE EXPLOIT Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; distance:0; within:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; sid:2002845; rev:1; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000488; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000372; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000373; rev:5; )

#Submitted by Joseph Gama
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-admin; sid: 2000377; rev:4; )
alert udp any any -> $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000378; rev:5; )
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000379; rev:4; )
alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; classtype: attempted-admin; sid: 2000380; rev:6; )
alert udp any any -> $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000381; rev:5; )

#By Joel Esler
alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg: "BLEEDING-EDGE EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; classtype: attempted-admin; sid: 2001988; rev:2; )

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype: bad-unknown; sid: 2000017; rev:4; )

#by Tom at doctorunix.com
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438;reference:cve,CAN-2005-1439; classtype: web-application-attack; sid:2002702; rev:2;)

#Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"xmlrpc.php"; content:"methodCall"; nocase; pcre:"/>.*\'\s*\)\s*\)*\s*\;/"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; classtype: web-application-attack; sid:2002158; rev:4;)

#Submitted by Matt Jonkman, Updated by Abe and Matt Sheridan
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000565; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000566; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000564; rev:7; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000567; rev:6; )
alert tcp $HOME_NET 445 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000563; rev:8; )
alert tcp $HOME_NET 139 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000568; rev:7; )

#Submitted by Abe Use
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001053; rev:5; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001544; rev:5; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001052; rev:6; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001543; rev:5; )
alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001753; rev:2; )
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001754; rev:2; )

#By Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; classtype:web-application-attack; sid:2002381; rev:4;)

#
alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid: 2000032; rev:6; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability"; flow: to_server,established; content:"site exec"; nocase; rawbytes; reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; classtype: misc-activity; sid: 2001210; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (1)"; flow: to_server,established; pcre:"/\\[\.]+%20/Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001211; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (2)"; flow: to_server,established; pcre:"/%20[\.]+\//Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001212; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow"; flow: to_server,established; content:"LIST -l\:"; nocase; isdataat: 134,relative; reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: misc-activity; sid: 2001213; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; flow: to_server,established; content:"chmod"; nocase; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: misc-activity; sid: 2001215; rev:7; )

#Submitted by Cooljay ref: http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype: shellcode-detect; sid: 2001385; rev:4; )

#by Blake Hartstein
alert tcp any any -> $HOME_NET 8000:8030 (msg:"BLEEDING-EDGE Nullsoft Shoutcast Server Format String Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/\/content\/.*?%#?\d*[a-z\.].*?\.mp3/Ri"; reference:cve,2004-1373; reference:bugtraq,12096; classtype:web-application-attack; sid:2001751; rev:3;) 

#by Blake Hartstein of Demarc
alert udp $EXTERNAL_NET ANY -> $HOME_NET 5060 (msg: "BLEEDING-EDGE EXPLOIT SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; within:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference: bugtraq,16213; reference: cve,2006-0189; classtype:attempted-user; sid:2002848; rev: 2; ) 

#by Summit Siddharth
alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"BLEEDING-EDGE EXPLOIT malformed Sack --Snort DoS-by-$um$id";seq:0; ack:0; window:65535; dsize:0; classtype:attempted-dos; sid:2002656; rev:1;)

#By Kyle Haugsness for the ISC on 2005-10-21
#Disabling by default. This is now caught by the upgraded BO preproc 2.4.3+
#alert udp any !31337 <> any !31337 (msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; dsize: >1024; content:"|ce 63 d1 d2 16 e7 13 cf|"; offset: 0; depth: 8; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?storyid=782; reference:url,isc.sans.org/diary.php?storyid=770; reference:url,xforce.iss.net/xforce/alerts/id/207; sid: 2002661; rev:2; )

#submitted by bdoctor
alert tcp any any -> $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; classtype: attempted-admin; sid: 2001780; rev:3; )

#
alert tcp any any -> $HOME_NET 3128 (msg: "BLEEDING-EDGE EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; classtype: misc-attack; sid: 2000342; rev:4; )

#by Matt Richard
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002783; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002784; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002785; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002786; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; classtype:trojan-activity; reference:url,www.mullingsecurity.com; sid:2002787; rev:1;)

#Submitted by Dale Handy
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001549; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow:to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001550; rev:6;)
alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001551; rev:6;)
alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow:to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; distance:0; within:30; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; classtype:web-application-attack; sid:2001552; rev:6;)

#By Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; classtype:attempted-recon; sid:2002406; rev:1; )

#By Paul Dokas, posted on http://isc.sans.org/diary.php?date=2005-06-27
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002061; rev:2;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002062; rev:2;)

#By Chris Ries of Vigilant Minds. This is not specific to the exploit as previous versions
alert TCP any any -> any 10000 (msg:"BLEEDING-EDGE EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; classtype:misc-attack; sid:2002065; rev:3;)

#By Mark Tombaugh: Alerts on responses of version checks.
alert tcp $HOME_NET 10000 -> any any (msg:"BLEEDING-EDGE NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; classtype:attempted-recon; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; sid:2002068; rev:4;)

# Added 2005/08/11 by Frank Knobbe - Rough first draft after exploit release
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas Backup Exec Windows Agent Remote File Access Exploit"; flow:to_server,established; content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,isc.sans.org/diary.php?date=2005-08-11; classtype:string-detect; sid:2002176; rev:2;)

# Added 2005/08/12 by Frank Knobbe - This version alerts if a system is vulnerable. flowbits:noalert is optional on the first rule if you don't want to detect (possibly unsuccessfull) attempts.
alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:default-login-attempt; sid:2002181; rev:3;)
alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:misc-attack; sid:2002182; rev:3;)

#David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT WebHints Scripts Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/hints.pl?|7c|"; nocase; classtype: web-application-attack; reference:bugtraq,13930; sid: 2001991; rev:6; )
#Written by Erik Fichtner
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1"; flowbits:noalert; flow: to_client,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within: 5; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001622; rev:4; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 2"; flow: to_client,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001623; rev:3; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 3"; flow: to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001624; rev:3; )
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1"; flowbits:noalert; flow: to_server,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within: 5; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001625; rev:4; )
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2"; flow: to_server,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid: 2001626; rev:3; )
alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3"; flow: to_server,established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; classtype: web-application-attack; sid: 2001627; rev:3; )

#By Sam Pabon
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (1)"; flow: to_client,established; content:"pchealth"; nocase; pcre:"/^file\x3A\\/\/C\x3A\\\WINDOWS\\PCHealth\\HelpCtr\\System\\blurbs\\tools\x2E\htm/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001633; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (2)"; flow: to_client,established; content:"writehta.txt"; pcre:"/^C\x3A\\\Documents\s+and\s+Settings\\All\s+Users\\Start\s+Menu\\Programs\\Startup\\+?([A-Z]|[a-z]|[0-9])\x2E\hta/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001634; rev:5; )

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WinProxy Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*[^\n\:]*\:[^\n]{7}/i"; within:500; reference:cve,2005-4085; reference:url,www.frsirt.com/english/advisories/2006/0065; classtype:bad-unknown; sid:2002764; rev:1;)

#by mmlange
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; sid:2002734; rev:2;)

# By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
# flow_depth (of http_inspect_server) has to be set to 0. Recommend second Snort instance with that config.
# Note that these rules will fail to detect the exploit when the HTTP response is gzipped.
# There is also a possibility for evasion, but a version that catches it will incurr massive amount of FPs.
#
# Choose between the All-Ports rules or the Web-Only rules. (All web rules have to be enabled)
# All ports
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v3"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - All Ports - v1"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002759; rev:1;)
# Web Only
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,bleeding_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,bleeding_wmf_http; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002743; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - version 3"; flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002741; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Web Only - version 1"; flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; flowbits:isnotset,bleeding_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002757; rev:1;)
# Thes rules have to be there for both 
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 1"; flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit - Version 3"; flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742; rev:5;)
#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit wowBB view_user.php SQL Injection"; flow: to_server,established; uricontent:"/wowbb/view_user.php?"; nocase; uricontent:"&sort_by='"; nocase; pcre:"/(alter|delete|insert|select)/i"; reference:bugtraq,13569; classtype: web-application-attack; sid: 2001932; rev:3; )

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Wzdftpd SITE command arbitrary command execution attempt"; flow:to_server,established; pcre:"/site\s+.*?[\;|&]/i"; reference:bugtraq,14935; reference:url,www.securiteam.com/exploits/5CP0R1PGUE.html; classtype:web-application-attack; sid:2002382; rev:3; )