# # $Id: emerging-web_client.rules $ # Emerging Threats web client rules. # # These are rules targeting the end user, browser, browser apps, etc. Many are higher load, # many may false positive. Use these only if you really want to. Not always the most actionable alerts. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2007903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_4XEM; sid:2007903; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; distance:0; content:"ConvertFile"; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2009469; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010039; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; distance:0; content:"ConvertFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6/si"; classtype:attempted-user; reference:url,www.milw0rm.org/exploits/8733; reference:url,www.securityfocus.com/bid/35028; reference:url,doc.emergingthreats.net/2010160; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010160; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; distance:0; content:"BindToFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; classtype:attempted-user; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010814; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; nocase; distance:0; content:"RUN"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3895DD35-7573-11D2-8FED-00606730D3AA/si"; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Aug/1022752.html; reference:url,www.kb.cert.org/vuls/id/485961; reference:url,www.securityfocus.com/bid/21207/info; reference:url,doc.emergingthreats.net/2009868; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Acer; sid:2009868; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; content:"PlayerVersion"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/9682; reference:url,doc.emergingthreats.net/2010256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Adobe; sid:2010256; rev:2;) #by Wolvee alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1"; flow:to_client,established; content:"clsid"; nocase; content:"4871A87A-BFDD-4106-8153-FFDE2BAC2967"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4871A87A-BFDD-4106-8153-FFDE2BAC2967/si"; classtype:web-application-attack; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009687; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Akami; sid:2009687; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2"; flow:to_client,established; content:"clsid"; nocase; content:"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B/si"; classtype:web-application-attack; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009688; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Akami; sid:2009688; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3"; flow:to_client,established; content:"clsid"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1/si"; classtype:web-application-attack; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009689; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Akami; sid:2009689; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; distance:0; content:"DownloadAndInstall"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7/si"; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Sep/1022928.html; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,doc.emergingthreats.net/2010011; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris; sid:2010011; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris; sid:2010245; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; classtype:attempted-user; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris; sid:2010190; rev:2;) #Blake Hartstein at Demarc alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2003326; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Apple; sid:2003326; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2003327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Apple; sid:2003327; rev:6;) #Joint contribution from Andre Ludwig, Blake Hartstein, and Chris Byrd at riosec.com alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference: url,www.milw0rm.com/exploits/4657; classtype:attempted-user; reference:url,doc.emergingthreats.net/2007703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Apple; sid:2007703; rev:7;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference: url,www.milw0rm.com/exploits/4657; classtype:attempted-user; reference:url,doc.emergingthreats.net/2007704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Apple; sid:2007704; rev:5;) #by Akash Mahajan alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String"; nocase; pcre:"/[0-9]{4,}/"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/i"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2007878; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Apple; sid:2007878; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; distance:0; nocase; content:"SaveAS"; nocase; classtype:web-application-attack; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; reference:url,doc.emergingthreats.net/2008612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Autodesk; sid:2008612; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption"; flow:to_client,established; content:"clsid"; nocase; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; nocase; distance:0; pcre:"/(Src|Background|PackageXml)/i"; classtype:web-application-attack; reference:url,secunia.com/advisories/34563/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html; reference:url,vupen.com/english/advisories/2009/0942; reference:url,milw0rm.com/exploits/8560; reference:url,doc.emergingthreats.net/2009399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Autodesk; sid:2009399; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"9589AEC9-1C2D-4428-B7E8-63B39D356F9C"; nocase; distance:0; content:"PrinterName"; nocase; classtype:web-application-attack; reference:url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt; reference:bugtraq,35582; reference:url,juniper.net/security/auto/vulnerabilities/vuln35583.html; reference:url,doc.emergingthreats.net/2009792; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Avax; sid:2009792; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; distance:0; content:"SceneURL"; nocase; classtype:web-application-attack; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Awingsoft; sid:2009857; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; classtype:web-application-attack; reference:bugtraq,34789; reference:url,milw0rm.com/exploits/8579; reference:url,doc.emergingthreats.net/2009425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Baofeng; sid:2009425; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; distance:0; content:"SetAttributeValue"; nocase; classtype:web-application-attack; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; reference:url,doc.emergingthreats.net/2009657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Baofeng; sid:2009657; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"Enable"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(EnableKeepExistingFiles|EnableStartApplication|EnableStartBeforePrint|EnablePassParameters)/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010203; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"Set"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010204; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010205; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010205; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"ClearUserSettings"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010206; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010206; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"ControlJob"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010207; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010207; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(EnableStartApplication|EnableStartBeforePrint|EnableKeepExistingFiles|EnablePassParameters)/i"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010208; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010208; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010209; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010210; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ClearUserSettings"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010211; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ControlJob"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010212; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce; sid:2010212; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"F4F647AD-B160-11D2-A3EF-00104BDF4755"; nocase; distance:0; content:"GetCodecModulus"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4F647AD-B160-11D2-A3EF-00104BDF4755/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt; reference:url,doc.emergingthreats.net/2010280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CharmReal; sid:2010280; rev:2;) #by Chandan S at Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chilkat; sid:2008099; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS"; flow:to_client,established; content:"CLSID"; nocase; content:"126FB030-1E9E-4517-A254-430616582C50"; distance:0; nocase; content:"LoadXmlEmail"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6600; reference:url,doc.emergingthreats.net/2008607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chilkat; sid:2008607; rev:6;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; distance:0; content:"WriteFile"; nocase; classtype:web-application-attack; reference:url,secunia.com/Advisories/32513/; reference:url,milw0rm.com/exploits/6963; reference:url,doc.emergingthreats.net/2008814; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chilkat; sid:2008814; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; flow:to_client,established; content:"CLSID"; nocase; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; distance:0; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7142; reference:url,doc.emergingthreats.net/2008870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chilkat; sid:2008870; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; flow:to_client,established; content:"CLSID"; nocase; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; distance:0; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; reference:url,doc.emergingthreats.net/2009046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chilkat; sid:2009046; rev:44;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; distance:0; content:"CreateChinagames"; nocase; classtype:web-application-attack; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; reference:url,doc.emergingthreats.net/2009500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Chinagames; sid:2009500; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; distance:0; content:"SaveToFile"; nocase; classtype:web-application-attack; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; reference:url,doc.emergingthreats.net/2009064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Ciansoft; sid:2009064; rev:4;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit"; flow:established; content:"0x40000"; content:"SendChannelData"; nocase; content:"238F6F83-B8B4-11CF-8771-00A024541EE3"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/5106; reference:bugtraq,21458; reference:cve,CVE-2006-6334; reference:url,doc.emergingthreats.net/bin/view/Main/2007851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Citrix; sid:2007851; rev:4;) #by evilghost and kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; classtype:web-application-attack; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.milw0rm.com/exploits/5395; reference:url,doc.emergingthreats.net/2008127; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics; sid:2008127; rev:7;) #by Akash Mahajan at stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2007905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Dlink; sid:2007905; rev:44;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"WriteToLog"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC; sid:2010035; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"SetLog"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC; sid:2010036; rev:2;) #by Wolvee alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"WriteToLog"; distance:0; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010154; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC; sid:2010154; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"SetLog"; distance:0; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010155; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC; sid:2010155; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; distance:0; content:"0x400000"; nocase; content:"CreateStore"; nocase; classtype:web-application-attack; reference:bugtraq,32722; reference:url,milw0rm.com/exploits/7402; reference:url,doc.emergingthreats.net/2008963; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail; sid:2008963; rev:4;) #by Sujit Ghosal alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability"; flow:from_server,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; classtype:attempted-user; reference:url,www.milw0rm.com/exploits/9704; reference:url,www.securityfocus.com/bid/22583; reference:url,doc.emergingthreats.net/2009948; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail; sid:2009948; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; content:"LicenseKey"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9684; reference:url,doc.emergingthreats.net/2010253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail; sid:2010253; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access"; flow:established,to_client; content:"clsid"; nocase; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0/si"; content:"CreateStore"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/9685; reference:url,doc.emergingthreats.net/2010277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail; sid:2010277; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; distance:0; content:"AddAttachment"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; content:"AddAttachment"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/9705; reference:url,doc.emergingthreats.net/2010278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail; sid:2010278; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0; content:"DoSaveFile"; nocase; classtype:web-application-attack; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009102; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Easy_Grid; sid:2009102; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0; content:"DoSaveFile"; nocase; classtype:web-application-attack; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009063; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Easygrid; sid:2009063; rev:4;) #by Jaime Blasco, updated by wolvee alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1)"; flow:from_server,established; content:"clsid"; nocase; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; nocase; distance:0; content:"PictureUrls"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3/si"; classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Ebay; sid:2009402; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2)"; flow:from_server,established; content:"clsid"; nocase; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; nocase; distance:0; content:"PictureUrls"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679/si"; classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Ebay; sid:2009403; rev:5;) #by mike cox alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 403 Forbidden|0d 0a|"; depth:24; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:" $HOME_NET 1024: (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:" $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; distance:0; nocase; content:"RemoteAddress"; nocase; classtype:web-application-attack; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460; reference:url,doc.emergingthreats.net/2008999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EvansFTP; sid:2008999; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion"; flow:to_client,established; content:"CLSID"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"DeleteFile"; nocase; classtype:web-application-attack; reference:bugtraq,33842; reference:url,xforce.iss.net/xforce/xfdb/48837; reference:url,doc.emergingthreats.net/2009184; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_FathFTP; sid:2009184; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT FlexCell Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; nocase; distance:0; pcre:"/(SaveFile|ExportToXML)/i"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7868; reference:bugtraq,33453; reference:url,doc.emergingthreats.net/2009120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_FlexCell; sid:2009120; rev:5;) #by kevin ross and joel esler alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"Type/Action"; nocase; content:"Launch"; nocase; within:40; isdataat:600,relative; content:!"|0A|"; within:600; content:"NewWindow true"; nocase; distance:600; classtype:attempted-user; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0837; reference:url,doc.emergingthreats.net/2010876; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Foxit; sid:2010876; rev:2;) #kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"Type/Action"; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; classtype:attempted-user; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Foxit; sid:2010878; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"05563215-225C-45EB-BB34-AFA47217B1DE"; nocase; distance:0; content:"OpenFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05563215-225C-45EB-BB34-AFA47217B1DE/si";classtype:attempted-user; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Foxit; sid:2010929; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; classtype:attempted-user; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Foxit; sid:2010930; rev:2;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit"; flow:to_client,established; content:"clsid"; nocase; content:"97BB6657-DC7F-4489-9067-51FAB9D8857E"; nocase; content:"0x40000"; content:"DoWebLaunch"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/4982; reference:bugtraq,27193; reference:url,doc.emergingthreats.net/2007852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gateway; sid:2007852; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; distance:0; nocase; content:"SaveAsPDF"; nocase; classtype:web-application-attack; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; reference:url,doc.emergingthreats.net/2008613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_GdPicture_Pro; sid:2008613; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution"; flow:to_client,established; content:"clsid"; nocase; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; nocase; distance:0; content:"GetAudioPlayingTime"; nocase; classtype:web-application-attack; reference:bugtraq,34115; reference:url,milw0rm.com/exploits/8206; reference:url,doc.emergingthreats.net/2009328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Geovision; sid:2009328; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"8D58D690-6B71-4ee8-85AD-006DB0287BF1"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009160; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_GeoVision; sid:2009160; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009161; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_GeoVision; sid:2009161; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009162; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_GeoVision; sid:2009162; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Gom Player V 2.1.16 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; distance:0; content:"Command"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gom; sid:2010367; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gom; sid:2010368; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Google Apps 'googleapps.url.mailto' Handler IE Command Injection Attempt"; flow:established,from_server; uricontent:"googleapps.url.mailto\:"; nocase; uricontent:"domain="; nocase; uricontent:"--renderer-path="; nocase; uricontent:"--no-sandbox"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36581/info; reference:url,www.securityfocus.com/archive/1/506888; reference:url,retrogod.altervista.org/9sg_google_apps_uri.html; reference:url,doc.emergingthreats.net/2010063; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google; sid:2010063; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Google Chrome chrome //history/ URI Cross-Site Scripting Attempt"; flow:established,from_server; uricontent:"chrome|3A 2F 2F|history/"; nocase; pcre:"/(iframe|script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/35841/info; reference:url,www.securityfocus.com/archive/1/505303; reference:url,doc.emergingthreats.net/2010202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google; sid:2010202; rev:3;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; reference:url,doc.emergingthreats.net/2010760; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gracenote; sid:2010760; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; distance:0; content:"XUPLOAD"; nocase; content:"MakeHttpRequest"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E87F6C8E-16C0-11D3-BEF7-009027438003/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36550/info; reference:url,doc.emergingthreats.net/2010010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010010; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"DisplayName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010611; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"AddGroup"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010612; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"InstallComponent"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010613; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"Subscribe"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010614; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010614; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; content:"clsid"; nocase; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; distance:0; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; classtype:attempted-user; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010778; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010778; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; content:"clsid"; nocase; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; distance:0; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; classtype:attempted-user; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP; sid:2010779; rev:2;) #by Jaime Blasco alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX HP Virtual Rooms Control Clsid Access"; flow:from_server,established; content:"clsid"; nocase; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000032-9593-4264-8B29-930B3E4EDCCD/si"; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405; reference:url,doc.emergingthreats.net/2009404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP_Virtual_Rooms; sid:2009404; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; distance:0; content:"URL"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; classtype:attempted-user; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft; sid:2010373; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; classtype:attempted-user; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft; sid:2010374; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; distance:0; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32337/; reference:url,doc.emergingthreats.net/2008678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Hummingbird; sid:2008678; rev:5;) #by Stillsecure (stillsecure.com) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; distance:0; nocase; content:"PutProperty"; nocase; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; reference:url,doc.emergingthreats.net/2008618; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IAS; sid:2008618; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IBM Access Support ActiveX Stack Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; classtype:attempted-user; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,doc.emergingthreats.net/2010482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IBM; sid:2010482; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IBM Access Support ActiveX stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"74FFE28D-2378-11D5-990C-006094235084"; nocase; distance:0; content:"GetXMLValue"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*74FFE28D-2378-11D5-990C-006094235084/si"; classtype:attempted-user; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,doc.emergingthreats.net/2010483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IBM; sid:2010483; rev:2;) #by Chandan at Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; distance:0; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IBiz; sid:2008126; rev:5;) # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID"; flow:from_server,established; content:"CLSID"; nocase; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".Spline|28|"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003102; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003102; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003103; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003103; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".KeyFrame|28|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003104; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003104; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003105; rev:8;) # Submitted 2006-11-01 by Frank Knobbe alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003158; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003158; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003159; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003159; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003160; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003160; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003161; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003161; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003162; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003162; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003163; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003163; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Business Object Factory object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003164; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F033-0000-0000-C000-000000000046"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003165; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Outlook.Application object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F03A-0000-0000-C000-000000000046"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003166; rev:6;) # steven@securityzone alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003514; rev:6;) #Updated by Christian Siefert 2/5/07 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution" ; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003231; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)" ; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003232; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003232; rev:57;) #Updated by Christian Siefert, 2/5/07 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution" ; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003233; rev:7;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)" ; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003234; rev:7;) #by Jules Pagna Disso #onUnload event - could be used by malicious users to execute a set of command when the user unload the page or click the back button alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/]*onUnload\s*=\s*[\x22\x27]?\(\)/"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009132; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2009132; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img)"; flow:from_server,established; content:"img"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/]*onEnd\s*=\s*[\x22\x27]?\(\)/"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009133; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2009133; rev:4;) #onURLFlip() This event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009134; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2009134; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt"; flow:from_server,established; content:"img"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009135; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2009135; rev:4;) #These sigs are high load and minimal utility. #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001099; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001101; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001101; rev:10;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001102; rev:10;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Stealth attempt to access SHELL\:"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001103; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001103; rev:10;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001105; rev:9;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001106; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001106; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001048; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001181; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001182; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid: 2001182; rev:8;) #by Andre Ludwig from MOBB alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; classtype:web-application-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003023; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid:2003023; rev:6;) #by Chris Byrd, updated by Christian Siefert 2/5/07 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url, riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid:2003110; rev:5;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection" ; flow:from_server,established; content:"ftp\://"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid:2003230; rev:4;) #by Akash Mahajan at Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability"; flow:to_server; content:"GET "; depth:4; uricontent:"res|3a|"; uricontent:"ieframe.dll"; uricontent:"acr_error"; pcre:"/(\<\;).+(\>\;)/Ui"; classtype:web-application-attack; reference:bugtraq,28581; reference:url,www.0x000000.com/?i=544; reference:url,doc.emergingthreats.net/bin/view/Main/2008170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_CLIENT_IE_Vulnerabilities; sid:2008170; rev:3;) #by Stillsecure (stillsecure.com) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; classtype:web-application-attack; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; reference:url,doc.emergingthreats.net/2008620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IIS; sid:2008620; rev:35;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; classtype:web-application-attack; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IIS; sid:2008621; rev:5;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"BDF9442E-9B03-42C2-87BA-2A459B0A5317"; nocase; pcre:"/file\:.*\.(jpg|ini|exe|dll|bat|com|cab|txt)/i"; content:"BuildSlideShow"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/4981; reference:bugtraq,27439; reference:url,doc.emergingthreats.net/2007853; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Imageshack; sid:2007853; rev:5;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"F8984111-38B6-11D5-8725-0050DA2761C4"; nocase; distance:0; content:"ImShExt.dll"; nocase; content:"DoWebMenuAction"; nocase; content:"INCREDISHELLEXTLib.IMMenuShellExt"; nocase; content:"String"; nocase; distance:0; pcre:"/[0-9]{3,}/"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/3877; reference:bugtraq,23674; reference:cve,CVE-2007-1683; reference:url,doc.emergingthreats.net/2007931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Incredimail; sid:2007931; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; classtype:attempted-user; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield; sid:2010257; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; content:"SaveToFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; classtype:web-application-attack; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield; sid:2010258; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS InstanGet v2.08 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"98C92840-EB1C-40BD-B6A5-395EC9CD6510D"; nocase; distance:0; content:"ShowBar"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C92840-EB1C-40BD-B6A5-395EC9CD6510/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt; reference:url,doc.emergingthreats.net/2010279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstanGet; sid:2010279; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; classtype:web-application-attack; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_JamDTA; sid:2009115; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Java; sid:2009434; rev:4;) #by Blake Hartstein of Demarc alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX JuniperSetup Control Buffer Overflow"; flow:established,from_server; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; pcre:"/param[^>]*name\s*=\s*["']?productname["']?[^>]*\s+value\s*=\s*(['"])((?!\1).|\\['"]){200}/Ri"; reference:url,www.eeye.com/html/research/advisories/AD20060424.html; classtype:attempted-user; reference:url,doc.emergingthreats.net/2002889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Juniper; sid:2002889; rev:6;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks; sid:2010012; rev:5;) #by chandan at stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/iR"; content:"SaveSettingsToFile"; distance:0; nocase; classtype:web-application-attack; reference:url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html; reference:bugtraq,28442; reference:cve,CVE-2008-1605; reference:url,doc.emergingthreats.net/2008129; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Leadtools; sid:2008129; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Logitech VideoCall ActiveX Start method buffer overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"BF4C7B03-F381-4544-9A33-CB6DAD2A87CD"; nocase; distance:0; content:"Start"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BF4C7B03-F381-4544-9A33-CB6DAD2A87CD/si"; classtype:web-application-attack; reference:url,osvdb.org/36820; reference:url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt; reference:url,www.kb.cert.org/vuls/id/330289; reference:url,doc.emergingthreats.net/2010851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Logitech; sid:2010851; rev:2;) #From Joe Stewart, LURHQ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MISC_Encrypted_Web_Content; sid: 2001811; rev:7;) #By Blake Harstein at Demarc alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED; flow:established,from_server; content:"CLSID"; nocase; pcre:"/CLSID\s*\:(?=\x7b?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x7d?)/i"; flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2002174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002174; rev:9;) #disabling these all, they're old and very high load #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002171; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002172; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/Ri"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002173; rev:10;) #By Blake Harstein of Demarc #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; classtype:web-application-attack; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; reference:url,doc.emergingthreats.net/2002308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002308; rev:46;) #By Blake Hartstein #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object MS05-052 (group 1)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002491; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object MS05-052 (group 2)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002492; rev:8;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object MS05-052 (group 3)"; flow:established,from_server; content:"CLSID"; nocase; flowbits:isset,CLSID_DETECTED; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/Ri"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-038; sid:2002493; rev:77;) #by Blake Hartstein #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MciWndx ActiveX Control"; flow:from_server,established; content:"CLSID"; nocase; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-054; sid:2002724; rev:7;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/Ri"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS05-054; sid:2002725; rev:9;) #By Blake Hartstein from Demarc alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/Ri"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-013; sid:2002861; rev:7;) #by Blake Hartstein at Demarc alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:2002971; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:2010263; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:2010264; rev:2;) #by shirkdog and Blake hartstein, split by kevin ross for performance alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5DFB2651-9668-11D0-B17B-00C04FC2A0CA/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010292; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010292; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010293; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010294; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010295; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010296; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010297; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010298; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010299; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"31087270-D348-432C-899E-2D2F38FF29A0"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010300; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010300; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010301; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"2EA10031-0033-450E-8072-E27D9E768142"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010302; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010303; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010304; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010305; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010306; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010307; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"679E132F-561B-42F8-846C-A70DBDC62999"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010308; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010309; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010310; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010311; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010312; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010313; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010314; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010315; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010316; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010317; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010318; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010319; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010320; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010321; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010322; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010323; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010323; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010324; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010324; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010325; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010326; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010326; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"ADEADEB8-E54B-11d1-9A72-0000F875EADE"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADEADEB8-E54B-11d1-9A72-0000F875EADE/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010327; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"EC85D8F1-1C4E-46e4-A748-7AA04E7C0496"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC85D8F1-1C4E-46e4-A748-7AA04E7C0496/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010328; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010329; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010329; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"E673DCF2-C316-4c6f-AA96-4E4DC6DC291E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4c6f-AA96-4E4DC6DC291E/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010330; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010331; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX ET WEB_CLIENT ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"01002B17-5D93-4551-81E4-831FEF780A53"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; classtype:attempted-user; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-042; sid:2010332; rev:2;) #by Jaime Blasco alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Communications Control Clsid Access"; flow:from_server,established; content:"clsid"; nocase; content:"648A5600-2C6E-101B-82B6-000000000014"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*648A5600-2C6E-101B-82B6-000000000014/si"; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,doc.emergingthreats.net/2009400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MSCC; sid:2009400; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; distance:0; content:"GetEntryPointForThread"; nocase; classtype:web-application-attack; reference:bugtraq,31996; reference:url,doc.emergingthreats.net/2008792; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MSDebugDiag; sid:2008792; rev:44;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0; content:"Open"; nocase; content:".avi"; nocase; distance:0; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7431; reference:bugtraq,32613; reference:url,doc.emergingthreats.net/2008993; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MSVB_AVI; sid:2008993; rev:4;) #by Veerendra at secpod alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"clsid"; nocase; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; nocase; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008673; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Picturepusher; sid:2008673; rev:7;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"CheckForUpdates"; nocase; classtype:web-application-attack; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/210560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale; sid:2010560; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; classtype:web-application-attack; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale; sid:2010561; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1"; flow:established,to_client; content:"clsid"; nocase; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; distance:0; content:"CheckForUpdates"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; classtype:web-application-attack; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale; sid:2010562; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2"; flow:established,to_client; content:"clsid"; nocase; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; distance:0; content:"UpdateComponents"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; classtype:web-application-attack; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale; sid:2010563; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; nocase; distance:0; content:"CallHTMLHelp"; nocase; classtype:web-application-attack; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,doc.emergingthreats.net/2008925; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Windows_Media_Services; sid:2008925; rev:4;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; nocase; distance:0; content:"WksPictureInterface"; nocase; distance:0; content:"0x40000"; distance:0; reference:bugtraq,28820; reference:url,www.milw0rm.com/exploits/5460; reference:url,www.milw0rm.com/exploits/5530; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008226; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Works; sid:2008226; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object"; flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; content:"loadXML"; distance:0; nocase; content:"parseError.srcText"; distance:0; nocase; classtype:web-application-attack; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_XML_Core; sid:2008886; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; content:"CLSID"; nocase; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; distance:0; content:"loadXML"; nocase; distance:0; content:"parseError.srcText"; nocase; distance:0; classtype:web-application-attack; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008887; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_XML_Core; sid:2008887; rev:4;) #by kevin ross # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Windows Media Encoder 9 wmex.dll ActiveX GetDetailsString Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C"; nocase; distance:0; content:"GetDetailsString"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/31065; reference:cve,2008-3008; reference:url,doc.emergingthreats.net/2010689; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_wmex; sid:2010689; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; reference:url,doc.emergingthreats.net/2008809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MW6; sid:2008809; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; reference:url,doc.emergingthreats.net/2008810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MW6; sid:2008810; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; reference:url,doc.emergingthreats.net/2008811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MW6; sid:2008811; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MW6; sid:2008812; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download"; flow:to_client, established; content:"clsid"; nocase; content:"1DF951B1-8D40-4894-A04C-66AD824A0EEF"; nocase; distance:0; content:"DownloadAndExecute"; nocase; classtype:successful-user; reference:bugtraq,27279; reference:url,www.milw0rm.com/exploits/4913; reference:url,doc.emergingthreats.net/2010358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Macrovision; sid:2010358; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; classtype:attempted-user; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Mcafee; sid:2010692; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; distance:0; content:"WriteTaskDataToIniFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*04D18721-749F-4140-AEB0-CAC099CA4741/si"; classtype:attempted-user; reference:url,www.securitytracker.com/alerts/2009/Jun/1022413.html; reference:url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt; reference:url,doc.emergingthreats.net/2009411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Mcafee_Epolicy; sid:2009411; rev:6;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; nocase; distance:0; pcre:"/(SaveToBMP|SaveToFile)/i"; classtype:web-application-attack; reference:bugtraq,33318; reference:url,milw0rm.com/exploits/7804; reference:url,doc.emergingthreats.net/2009104; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MetaProducts; sid:2009104; rev:4;) #by Jaime Blasco alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Microgaming FlashXControl Control Clsid Access"; flow:from_server,established; content:"clsid"; nocase; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D8089245-3211-40F6-819B-9E5E92CD61A2/si"; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,www.microgaming.co.uk/news_flashxcontrol.php; reference:url,doc.emergingthreats.net/2009401; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Microgaming; sid:2009401; rev:22;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; distance:0; pcre:"/(Save|ExportImage)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Monrovia_Barcode; sid:2009334; rev:26;) #Blake Hartstein alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; distance:0; within:500; classtype:web-application-attack; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_NCTAudiofile2; sid:2003328; rev:6;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; distance:0; content:"OpenFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; classtype:web-application-attack; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_NCTAudiofile2; sid:2010356; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; classtype:web-application-attack; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_NCTAudiofile2; sid:2010357; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; nocase; distance:0; content:"CreateFile"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7871; reference:bugtraq,24613; reference:url,doc.emergingthreats.net/2009121; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_NCTsoft; sid:2009121; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"F85B4A10-B530-4D68-A714-7415838FD174"; nocase; distance:0; content:"SelectDevice"; nocase; classtype:web-application-attack; reference:bugtraq,33726; reference:url,doc.emergingthreats.net/2009178; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Nokia_Phoenix; sid:2009178; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; distance:0; content:"SetFontFace"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Novell; sid:2009923; rev:5;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; classtype:attempted-user; reference:cve,2008-0935; reference:url,doc.emergingthreats.net/2010693; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Novell; sid:2010693; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"336723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"GetDriverSettings"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; classtype:attempted-user; reference:cve,2008-2908; reference:url,doc.emergingthreats.net/2010694; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Novell; sid:2010694; rev:2;) #by kevin ross alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Opera User-Agent Flowbit Set"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| Opera/"; nocase; classtype:not-suspicious; flowbits:set,ET.opera.useragent.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010873; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Opera; sid:2010873; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Opera Web Browser Content-Length Buffer Overflow Attempt"; flowbits:isset,ET.opera.useragent.request; flow:established,to_client; content:"Content-Length|3A|"; nocase; isdataat:3000,relative; content:!"|0A|"; within:3000; content:"Location|3A| chrome|3A|//"; nocase; distance:3000; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38519; reference:url,doc.emergingthreats.net/2010874; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Opera; sid:2010874; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; content:"clsid"; nocase; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; distance:0; content:"download"; nocase; classtype:web-application-attack; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; reference:url,doc.emergingthreats.net/2009314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Orbit; sid:2009314; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Orca Browser 1.1 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; distance:0; content:"ExecCommand"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Orca; sid:2010363; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Orca Browser 1.1 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOZXLib.EmbeddedMoz"; nocase; distance:0; content:"ExecCommand"; nocase; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Orca; sid:2010364; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access"; flow:established,to_client; content:"clsid"; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; distance:0; content:"DebugMsgLog"; nocase; classtype:web-application-attack; reference:url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt; reference:url,doc.emergingthreats.net/9130; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PDFZilla; sid:2010029; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; nocase; distance:0; content:"StartURL"; nocase; classtype:web-application-attack; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; reference:url,milw0rm.com/exploits/6090; reference:url,doc.emergingthreats.net/2009143; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PPMate; sid:2009143; rev:33;) #by Akash Mahajan at Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; nocase; content:"0x40000"; content:"Logo"; nocase; classtype:web-application-attack; reference:bugtraq,25502; reference:url,doc.emergingthreats.net/2008173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PPStream; sid:2008173; rev:5;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36234/info; reference:url,doc.emergingthreats.net/2009858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PPStream; sid:2009858; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; distance:0; nocase; content:"SetID"; nocase; classtype:web-application-attack; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505; reference:url,doc.emergingthreats.net/2009002; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PhoenicianCasino; sid:2009002; rev:4;) #by Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; distance:0; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; classtype:web-application-attack; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PowerTCP; sid:2008683; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; distance:0; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; reference:url,doc.emergingthreats.net/2009315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_PrecisionID; sid:2009315; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ProgramChecker 1.5 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"DD50A655-10FB-11D2-A22B-00104B27F81B"; nocase; distance:0; content:"Run"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD50A655-10FB-11D2-A22B-00104B27F81B/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Program_Checker; sid:2010365; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ProgramChecker 1.5 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TRATLLib.Options"; nocase; distance:0; content:"Run"; nocase; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Program_Checker; sid:2010366; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access"; flow:established,to_client; content:"clsid"; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; nocase; distance:0; pcre:"/]*\s*classid\s*=\s*(.+\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(\?P=q1)(\s|>)/si"; classtype:attempted-user; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx; reference:url,doc.emergingthreats.net/2009907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_RDP; sid:2009907; rev:4;) #by Akash Mahajan at Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; nocase; content:"0x40000"; nocase; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2007904; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_RTSP; sid:2007904; rev:5;) #By Blake Hartstein alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:""; pcre:"/<[^>%]*%/R"; content:""; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Realplayer; sid:2002381; rev:8;) #by akash mahajan of Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; nocase; content:"url"; nocase; distance:0; pcre:"/(exe|bat|com|dll|ini)/i"; content:"start"; nocase; classtype:web-application-attack; reference:cve,CVE-2006-6838; reference:bugtraq,21831; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html; reference:url,doc.emergingthreats.net/2007998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Rediff; sid:2007998; rev:5;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; nocase; distance:0; content:"Scan"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9FAFB576-6933-4CCC-AB3D-B988EC43D04E/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38282; reference:url,doc.emergingthreats.net/2010839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Rising_online; sid:2010839; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; distance:0; content:"DiskType"; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8824;reference:bugtraq,23412; reference:url,doc.emergingthreats.net/2009725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Roxio; sid:2009725; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; distance:0; content:"SetIAPlayerName"; nocase; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; reference:url,doc.emergingthreats.net/2009735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Roxio; sid:2009735; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; distance:0; content:"Save"; nocase; content:"ToSessionFile"; within:17; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E/si"; classtype:attempted-user; reference:url,www.securitytracker.com/alerts/2009/Sep/1022953.html; reference:url,doc.emergingthreats.net/2010013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010013; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; distance:0; content:"Accept"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/35256/info; reference:url,doc.emergingthreats.net/2010219; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010219; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"VSFlexGrid.VSFlexGridL"; nocase; distance:0; pcre:"/(Text|EditSelText|EditText|CellFontName|Archive)/i"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010467; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"Archive"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010468; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"Text"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010469; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"EditSelText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010470; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"EditText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010471; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"CellFontName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010472; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access"; flow:established,to_client; content:"clsid"; nocase; content:"A76CEBEE-7364-11D2-AA6B-00E02924C34E"; nocase; distance:0; content:"SaveToSessionFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A76CEBEE-7364-11D2-AA6B-00E02924C34E/si"; classtype:attempted-user; reference:url,dsecrg.com/pages/vul/show.php?id=143; reference:url,doc.emergingthreats.net/2010481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP; sid:2010481; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Get"; nocase; classtype:web-application-attack; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; reference:url,doc.emergingthreats.net/2009047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SaschArt; sid:2009047; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; nocase; distance:0; content:"StartVideoSaving"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36217/info; reference:url,doc.emergingthreats.net/2009869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SmartVMD; sid:2009869; rev:5;) #by kevin ross # (I Thought this one might still be possible to all those devices which go out and aren't updated, happens all the time with Cisco anyway). alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; distance:0; content:"AddRouteEntry"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; reference:url,doc.emergingthreats.net/2010456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Sonicwall; sid:2010456; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"clsid"; nocase; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; distance:0; content:"SetExternalPlayer"; nocase; classtype:web-application-attack; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SopCast; sid:2009226; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution"; flow:to_client,established; content:"clsid"; nocase; content:"01110800-3E00-11D2-8470-0060089874ED"; nocase; distance:0; pcre:"/(Packagefiles|SaveDna|SetIdentity|AddFile)/i"; classtype:web-application-attack; reference:bugtraq,34004; reference:url,milw0rm.com/exploits/8160; reference:url,doc.emergingthreats.net/2009322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SupportSoft; sid:2009322; rev:4;) #by Akash Mahajan of stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"22ACD16F-99EB-11D2-9BB3-00400561D975"; nocase; content:"0x40000"; pcre:"/(_DOWText)|(_MonthText)/i"; content:"Save"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/5205; reference:cve,CVE-2007-6017; reference:bugtraq,28008; reference:url,doc.emergingthreats.net/2007932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2007932; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; distance:0; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; reference:url,doc.emergingthreats.net/2009373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2009373; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; nocase; distance:0; content:"AppendFax"; nocase; classtype:web-application-attack; reference:bugtraq,34766; reference:url,milw0rm.com/exploits/8562; reference:url,doc.emergingthreats.net/2009385; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2009385; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; distance:0; pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; classtype:web-application-attack; reference:bugtraq,8008; reference:url,xforce.iss.net/xforce/xfdb/12423; reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html; reference:url,doc.emergingthreats.net/2009847; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2009847; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; classtype:attempted-user; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010227; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2010227; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"RunCmd"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2010369; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2010370; rev:2;) #by chandan at Stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; distance:0; nocase; pcre:"/[\w\W]{2500,}/i"; content:"TransferFile"; nocase; classtype:web-application-attack; reference:bugtraq,28662; reference:url,www.milw0rm.com/exploits/5398; reference:url,doc.emergingthreats.net/2008128; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Tumbleweed; sid:2008128; rev:5;) #by akash mahajan of stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Univeral HTTP File Upload Remote File Deletetion"; flow:to_client,established; content:"CLSID"; nocase; content:"4FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; pcre:"/(txt|ini|com|exe|bat|dll|dat)/i"; content:"RemoveFileOrDir"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/5272; reference:url,doc.emergingthreats.net/2008062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Universal_HTTP; sid:2008062; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; distance:0; content:"RemoveFileOrDir"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5569; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008225; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Universal_HTTP; sid:2008225; rev:5;) #by kevin ross alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; uricontent:".ass"; nocase; classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC; sid:2010757; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC; sid:2010758; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:""; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC; sid:2010813; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; distance:0; content:"OpenPDF"; nocase; classtype:web-application-attack; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; reference:url,doc.emergingthreats.net/2008869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VeryDoc; sid:2008869; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; distance:0; content:"extractPagesToFile"; nocase; distance:0; classtype:web-application-attack; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; reference:url,doc.emergingthreats.net/2008895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Visagesoft; sid:2008895; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; nocase; distance:0; content:"DrawText"; nocase; content:!"|0A|"; within:25; isdataat:25,relative; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E/si"; classtype:attempted-user; reference:url,en.securitylab.ru/poc/extra/389924.php; reference:url,doc.emergingthreats.net/2010840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Visicom; sid:2010840; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Web on Windows ActiveX Insecure Methods"; flow:to_client,established; content:"clsid"; nocase; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; nocase; distance:0; pcre:"/(WriteIniFileString|ShellExecute)/i"; classtype:web-application-attack; reference:bugtraq,33515; reference:url,xforce.iss.net/xforce/xfdb/48337; reference:url,doc.emergingthreats.net/2009136; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_WebonWindows; sid:2009136; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; distance:0; content:"ApplicationType"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B727C217-2022-11D4-B2C6-0050DA1BD906/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt; reference:url,secunia.com/advisories/24556/; reference:url,doc.emergingthreats.net/2010852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_WinDVD7; sid:2010852; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Defender ActiveX DeleteValue method Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; distance:0; content:"DeleteValue"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC/si";classtype:attempted-user; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010834; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Defender; sid:2010834; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"DeleteValue"; nocase; classtype:attempted-user; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010835; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Defender; sid:2010835; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Defender ActiveX WriteValue method Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; distance:0; content:"WriteValue"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC/si";classtype:attempted-user; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Defender; sid:2010836; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Defender ActiveX WriteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"WriteValue"; nocase; classtype:attempted-user; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010837; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Defender; sid:2010837; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"C2828995-4A83-4100-A212-3024BA117356"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C2828995-4A83-4100-A212-3024BA117356/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010702; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Live; sid:2010702; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RichUploadLib.UploadControl"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Windows_Live; sid:2010703; rev:2;) #Written by Erik Fichtner alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX winhlp32 ActiveX control attack, phase 1"; flowbits:noalert; flow: to_client,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/EXPLOIT_Winhelp32; sid: 2001622; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX winhlp32 ActiveX control attack, phase 2"; flow: to_client,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; flowbits: isset,winhlp32; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/EXPLOIT_Winhelp32; sid: 2001623; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX winhlp32 ActiveX control attack, phase 3"; flow: to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; flowbits: isset,winhlp32; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/EXPLOIT_Winhelp32; sid: 2001624; rev:9;) #by Stillsecure (www.stillsecure.com) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; distance:0; nocase; content:"CanUninstall"; nocase; classtype:web-application-attack; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Zenworks; sid:2008619; rev:5;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; distance:0; content:"SetText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s* \x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si"; classtype:attempted-user; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_acti; sid:2009893; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3"; nocase; distance:0; content:"eXMLFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si"; classtype:attempted-user; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_acti; sid:2009894; rev:5;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"APWebGrabber.Object"; nocase; distance:0; content:"GetStatus"; nocase; classtype:attempted-user; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010690; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_activePDF; sid:2010690; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"02C2DD87-2E67-11D2-96EF-0000861852D5"; nocase; distance:0; content:"GetStatus"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02C2DD87-2E67-11D2-96EF-0000861852D5/si"; classtype:attempted-user; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010691; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_activePDF; sid:2010691; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; distance:0; content:"FtpConnect"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44A8091F-8F01-43B7-8CF7-4BBA71E61E04/si"; classtype:attempted-user; reference:url,www.milw0rm.org/exploits/8986; reference:url,doc.emergingthreats.net/2010161; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_eDraw; sid:2010161; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"clsid"; nocase; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; distance:0; pcre:"/(DeleteFile|write)/i"; classtype:web-application-attack; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_iDefense_COMRaider; sid:2009187; rev:4;)