emerging-web_client.rules

# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2019, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt"; flow:established,to_client; content:"<dxstudio"; nocase; content:"shell.execute("; nocase; reference:cve,2009-2011; reference:url,doc.emergingthreats.net/2010841; classtype:attempted-user; sid:2010841; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 403 Forbidden|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010516; classtype:web-application-attack; sid:2010516; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010518; classtype:web-application-attack; sid:2010518; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<body\s+[^>]*onUnload\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009132; classtype:web-application-attack; sid:2009132; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img)"; flow:from_server,established; content:"img"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<img\s+[^>]*onEnd\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009133; classtype:web-application-attack; sid:2009133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<body\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009134; classtype:web-application-attack; sid:2009134; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt"; flow:from_server,established; content:"img"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<img\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009135; classtype:web-application-attack; sid:2009135; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt"; flow:established,to_client; content:"setInterval("; nocase; content:"document.getElementById"; nocase; distance:0; content:".innerHTML"; nocase; distance:0; content:".toString("; nocase; within:60; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20815; reference:url,reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1; reference:url,doc.emergingthreats.net/2011764; classtype:attempted-user; sid:2011764; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; reference:url,doc.emergingthreats.net/bin/view/Main/2002381; classtype:web-application-attack; sid:2002381; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001099; classtype:misc-attack; sid:2001099; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001101; classtype:misc-attack; sid:2001101; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; classtype:misc-attack; sid:2001102; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to access SHELL#=#="; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001103; classtype:misc-attack; sid:2001103; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001105; classtype:misc-activity; sid:2001105; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001106; classtype:misc-activity; sid:2001106; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; classtype:misc-activity; sid:2001048; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url, riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection"; flow:from_server,established; content:"ftp|3a|//"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; classtype:attempted-user; sid:2003230; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_client; content:"WScript.Shell"; nocase; content:"shell.Run"; nocase; within:40; content:"|22|"; within:6; reference:url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx; reference:url,doc.emergingthreats.net/2010961; classtype:attempted-user; sid:2010961; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt"; flow:established,to_client; content:"window.open("; nocase; content:"setTimeout("; nocase; distance:0; content:"document.body.innerHTML"; nocase; distance:0; content:".stop"; nocase; distance:0; pcre:"/(window|w)\x2Estop/i"; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-45.html; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=556957; reference:cve,2010-1206; reference:url,doc.emergingthreats.net/2011240; classtype:misc-attack; sid:2011240; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt"; flow:established,to_client; content:"APPLET"; nocase; content:"children"; nocase; distance:0; content:"location.reload"; nocase; within:100; reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html; classtype:attempted-user; sid:2011864; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; reference:url,doc.emergingthreats.net/bin/view/Main/2003023; classtype:web-application-activity; sid:2003023; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001182; classtype:misc-attack; sid:2001182; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"|3C|smil"; nocase; content:"|3C|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"|3A|//"; within:20; isdataat:700,relative; content:!"|3C 2F|smil|3E|"; nocase; within:700; content:!"|0A|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding"; flow:established,to_client; content:"%u64%u6f%u63%u75%u6d%u65%u6e%u74%u2e%u77%u72%u69%u74%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012060; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding"; flow:established,to_client; content:"%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012061; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding"; flow:established,to_client; content:"%u61%u72%u67%u75%u6d%u65%u6e%u74%u73%u2e%u63%u61%u6c%u6c%u65%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012062; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding"; flow:established,to_client; content:"%u6368%u6172%u436f%u6465%u4174"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012108; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding"; flow:established,to_client; content:"%u5374%u7269%u6e67%u2e66%u726f%u6d43%u6861%u7243%u6f64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012109; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage"; flow:established,to_client; content:"|5C|x"; nocase; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; pcre:"/\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; classtype:bad-unknown; sid:2012119; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set"; flow:established,to_client; flowbits:set,ET.AVI.RIFF.Chunk; content:"|52 49 46 46|"; content:"|41 56 49 20|"; distance:4; within:4; flowbits:noalert; classtype:not-suspicious; sid:2012142; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set"; flow:established,to_client; flowbits:set,DXF.Ext.Access; content:"|20 20 30|"; content:"|0A 53 45 43 54 49 4F 4E|"; within:10; content:"|20 20 32|"; within:5; content:"|48 45 41 44 45 52|"; distance:0; content:"|0a|"; within:2; flowbits:noalert; classtype:not-suspicious; sid:2012152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"|2E|charCodeAt|28|"; nocase; within:32; pcre:"/String.fromCharCode|28|[a-z,0-9]{1,20}\x2EcharCodeAt\x28/i"; classtype:misc-activity; sid:2012205; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible % Encoded Iframe Tag"; flow:established,to_client; content:"%69%66%72%61%6d%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012241; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag"; flow:established,to_client; content:"%u69%u66%u72%u61%u6d%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012242; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag"; flow:established,to_client; content:"%u6966%u7261%u6d65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012243; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible # Encoded Iframe Tag"; flow:established,to_client; content:"#69#66#72#61#6d#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012244; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage"; flow:established,to_client; content:"eval|28|CRYPT.obfuscate|28|"; nocase; fast_pattern; reference:url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html; classtype:bad-unknown; sid:2012404; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_01, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"document.createElement|28|"; nocase; distance:0; content:"document.body.appendChild|28|"; nocase; distance:0; content:"close|28|"; nocase; distance:0; content:"document.cloneNode|28|"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/16979/; classtype:attempted-user; sid:2012511; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2011866; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; classtype:attempted-user; sid:2010968; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp|3A|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; content:"|2f 2f|mshtml|2e|dll"; nocase; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_14, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:2101840; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set"; flow:established,to_client; content:"PDF-"; depth:300; content:".ses"; fast_pattern; nocase; distance:0; flowbits:set,ET_Assassin.ses; flowbits:noalert; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:bad-unknown; sid:2012813; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_18, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_08, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow:to_client,established; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2011343; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Compressed Flash Content"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|CWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)CWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012907; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code Execution Attempt"; flow:established,to_client; content:"rcsL"; content:"|FF F0 02 67|"; fast_pattern; distance:0; reference:url,www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/; reference:bid,42682; reference:cve,2010-2873; classtype:attempted-user; sid:2013069; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"tSAC|1D 02|"; fast_pattern; content:"|01 00 FF FF 11 11|"; distance:0; reference:url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/; classtype:attempted-user; sid:2013070; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of OpenAction"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"OpenAction"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^OpenAction](O|#4F)(p|#70)(e|#65)(n|#6E)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011537; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of JS"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JS"; within:2; content:"#"; within:4; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JS](J|#4A)(S|#53)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011535; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of EmbeddedFile"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"EmbeddedFile"; within:12; content:"#"; within:34; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^EmbeddedFile](E|#45)(m|#6D)(b|#62)(e|#65)(d|#64)(d|#64)(e|#65)(d#64)(F|#46)(i|#69)(l|#6C)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011530; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Type"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x3C\x3C[^>]*\x2F[^Type](T|#54)(y|#79)(p|#70)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011531; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Javascript"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C[^\n]*\x2F[^Javascript](J|#4A)(a|#61)(v|#76)(a|#61)(S|#73|#53)(c|#63)(r|#72)(i|#69)(p|#70)(t|#74)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011532; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of URL"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"URL"; within:3; content:"#"; within:7; pcre:"/\x3C\x3C[^>]*\x2F[^URL](U|#55)(R|#52)(L|#4C)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011533; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability"; flow:to_server; content:"GET"; http_method; content:"res|3a|"; http_uri; content:"ieframe.dll"; http_uri; content:"acr_error"; pcre:"/(\&lt\;).+(\&gt\;)/Ui"; reference:bugtraq,28581; reference:url,doc.emergingthreats.net/bin/view/Main/2008170; classtype:web-application-attack; sid:2008170; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing Information Disclosure Attempt"; flow:established,to_client; content:"toStaticHTML|28|"; fast_pattern; nocase; content:"expression|28|"; nocase; within:150; reference:bid,48199; reference:cve,2011-1252; classtype:attempted-user; sid:2013321; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/mfc71"; http_uri; nocase; pcre:"/mfc71[a-z]{2,3}\x2Edll/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_18, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:2103079; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103132; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2102437; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2102671; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2102673; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:2103149; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:2103088; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2102925; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_08_17, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_10_05, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|"; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2102577; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_14, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; content:"%PDF-"; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_04, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_22, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_07, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free "; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_16, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_09, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_17, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_17, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase;  pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:19; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:18; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_07_09, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; metadata: former_category CURRENT_EVENTS; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; metadata: former_category CURRENT_EVENTS; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_09, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_11, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:created_at 2013_07_18, updated_at 2013_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017186; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017374; rev:6; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017375; rev:6; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; file_data; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017760; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017761; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017762; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_03_24, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern:3,20; threshold: type limit, count 1, seconds 300, track by_src; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2018431; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern:4,20; threshold: type limit, count 1, seconds 300, track by_src; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2018432; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern:5,20; threshold: type limit, count 1, seconds 300, track by_src; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2018433; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; content:"/Generic/BEX/iexplore_exe/"; http_uri; content:"/vgx_dll_unloaded/"; http_uri; fast_pattern; content:"Host|3A| watson.microsoft.com"; http_header; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; content:"/StageOne/iexplore_exe/"; http_uri; content:"/vgx_dll/"; http_uri; fast_pattern; content:"Host|3A| watson.microsoft.com"; http_header; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_05_05, updated_at 2016_07_01;)

#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET WEB_CLIENT Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; metadata: former_category PHISHING; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:trojan-activity; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_13, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_06_06, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_01_27, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; content:"/baby.mid"; http_uri; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_02_07, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_09_17, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2015887; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_11_14, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_18, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_03, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Web_Client_Attacks, tag Metasploit, signature_severity Critical, created_at 2015_01_06, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_03_16, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_21, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?id="; http_uri; content:"&sid="; http_uri; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; http_uri; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/U"; pcre:"/&name=[a-z0-9\x20]+$/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:2; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|55 04 03|"; distance:0; content:"|09|eDellRoot"; distance:1; within:10; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_11_24, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; metadata: former_category PHISHING; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_02_16, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_06_13, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022980; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022981; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022993; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023037; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023040; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023051; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023055; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023056; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023057; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023058; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023069; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2016_08_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023235; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; metadata: former_category PHISHING; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_16, malware_family Tech_Support_Scam, performance_impact Low, updated_at 2016_12_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023889; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024003; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, performance_impact Low, updated_at 2017_02_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024008; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024016; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; metadata: former_category WEB_CLIENT; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2017_03_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; metadata: former_category WEB_CLIENT; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024030; rev:2; metadata:attack_target Client_Endpoint, signature_severity Major, created_at 2017_03_06, malware_family BrokenBrowser, updated_at 2017_03_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; metadata: former_category WEB_CLIENT; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:2; metadata:attack_target Client_Endpoint, signature_severity Major, created_at 2017_03_06, malware_family BrokenBrowser, updated_at 2017_03_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024033; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Internet, signature_severity Minor, created_at 2017_03_06, malware_family Fake_Alert, updated_at 2017_03_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; metadata: former_category WEB_CLIENT; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_08, performance_impact Low, updated_at 2017_03_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024042; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_09, updated_at 2017_03_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File Download Flowbit Set"; flow:established,to_client; content:"Content-Type|3A| application/hta"; http_header; fast_pattern:12,16; flowbits:set,et.http.hta; flowbits:noalert; metadata: former_category WEB_CLIENT; classtype:not-suspicious; sid:2024195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_04_10;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; content:"User-Agent|3a 20|Microsoft Office"; http_header; fast_pattern:10,16; content:!"Referer|3a|"; http_header; flowbits:set,Office.UA; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_04_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; nocase; within:100; metadata: former_category WEB_CLIENT; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase;  content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; metadata: former_category WEB_CLIENT; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_05_16, performance_impact Moderate, updated_at 2017_05_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_19, updated_at 2017_05_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2024415; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; content:".js?BEEFHOOK="; http_uri; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; metadata: former_category WEB_CLIENT; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern:7,20; metadata: former_category PHISHING; classtype:trojan-activity; sid:2024450; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_10, updated_at 2017_07_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing Jul 19 2017"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"function getSystemInfo"; nocase; distance:0; content:"OnChatTextKeyDown"; nocase; distance:0; fast_pattern; content:"function scrollcheck"; nocase; distance:0; content:"function callconv"; nocase; distance:0; content:"function istyping"; nocase; distance:0; content:"function dochat"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024480; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_18, updated_at 2017_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; content:!"Content-Type|3a 20|text/xml|0d 0a|"; http_header; content:!"Content-Type|3a 20|application/xml|0d 0a|"; http_header; file_data; content:"preserve"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_02, updated_at 2016_07_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; metadata: former_category WEB_CLIENT; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header;  content:"has been blocked"; http_header; nocase; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022925; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_06_29, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; metadata: former_category WEB_CLIENT; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:1; metadata:tag noalert, created_at 2017_09_08, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; metadata: former_category WEB_CLIENT; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:1; metadata:tag noalert, created_at 2017_09_08, updated_at 2017_09_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, updated_at 2017_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 29 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022992; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2017_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; metadata: former_category PHISHING; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:bad-unknown; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_10_02, updated_at 2017_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category WEB_CLIENT; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"|0d 0a|location|3a 20|"; fast_pattern; http_header; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/RHi"; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025006; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_10, updated_at 2017_11_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:trojan-activity; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SocEng, performance_impact Low, updated_at 2017_11_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; metadata: former_category WEB_CLIENT; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_15, performance_impact Significant, updated_at 2017_11_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; metadata: former_category WEB_CLIENT; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_15, performance_impact Moderate, updated_at 2017_11_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; http_start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; depth:36; isdataat:!1,relative; threshold:type both,track by_src,count 2,seconds 10; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2018430; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:established,to_client; http_response_line; content:"HTTP/1.1 405 Method Not Allowed"; depth:31; isdataat:!1,relative; nocase; file_data; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Google Chrome Credential Stealing via SCF file Reflected Request"; flow:to_server,established; content:"shell"; nocase; http_uri; content:"IconFile"; http_uri; nocase; content:"|5c 5c|"; http_raw_uri; pcre:"/Shell.*%0a\s*IconFile\s*=\s*\x5c\x5c/iI"; metadata: former_category WEB_CLIENT; reference:url,defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf; classtype:attempted-recon; sid:2025060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2017_11_27;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; dns_query; content:"nyoogle.info"; nocase; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; dns_query; content:"lite-bookmarks.info"; nocase; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_04, updated_at 2018_02_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_04, performance_impact Low, updated_at 2018_02_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; metadata: former_category PHISHING; classtype:trojan-activity; sid:2023638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, performance_impact Low, updated_at 2018_03_13;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns_query; content:"stickies.pro"; nocase; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; metadata: former_category WEB_CLIENT; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; metadata: former_category WEB_CLIENT; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_07, updated_at 2018_05_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2018_05_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; metadata: former_category WEB_CLIENT; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_14, performance_impact Low, updated_at 2017_11_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; content:"GET"; http_method; content:"puiframeworkproresenu.dll"; http_uri; isdataat:!1,relative; metadata: former_category WEB_CLIENT; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; metadata: former_category PHISHING; classtype:bad-unknown; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12"; flow:established,to_server; content:"GET"; http_method; content:"/flashplayer_down.php?clickid="; http_uri; fast_pattern; pcre:"/^[a-z0-9]{6,15}$/RUi"; metadata: former_category WEB_CLIENT; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:trojan-activity; sid:2026474; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SocEng, tag CoinMinerCampaign, signature_severity Major, created_at 2018_10_12, performance_impact Low, updated_at 2018_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 2018-10-12"; flow:established,to_server; content:"GET"; http_method; content:"/flashplayer_down.php"; http_uri; fast_pattern; isdataat:!1,relative; metadata: former_category WEB_CLIENT; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:trojan-activity; sid:2026475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SocEng, tag CoinMinerCampaign, signature_severity Major, created_at 2018_10_12, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file_data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_15, updated_at 2018_10_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; metadata: former_category WEB_CLIENT; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, created_at 2018_10_23, updated_at 2018_10_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:to_server,established; content:"POST"; http_method; content:"/upload.cfm?action=upload"; http_uri; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category WEB_CLIENT; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, deployment Perimeter, tag CVE_2018_15961, signature_severity Major, created_at 2018_11_13, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M1 (Enable Registration)"; flow:established,to_server; content:"POST"; http_method; content:"/admin-ajax.php"; http_uri; content:"action=wpgdprc_"; http_client_body; fast_pattern; content:"users_can_register|22|,|22|value|22 3a 22|1"; http_client_body; distance:0; metadata: former_category WEB_CLIENT; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026605; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, tag PrivilegeEsc, signature_severity Major, created_at 2018_11_13, performance_impact Low, updated_at 2018_11_13;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M2 (Set as Administrator)"; flow:established,to_server; content:"POST"; http_method; content:"/admin-ajax.php"; http_uri; content:"action=wpgdprc_"; http_client_body; fast_pattern; content:"default_role|22|,|22|value|22 3a 22|administrator"; http_client_body; distance:0; metadata: former_category WEB_CLIENT; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026606; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, tag PrivilegeEsc, signature_severity Major, created_at 2018_11_13, performance_impact Low, updated_at 2018_11_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/W"; flowbits:set,ET.eduphish; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2019_02_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PirateBay Phish - Possibly PirateMatryoshka Related"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|3c|p|3e|In order to continue the install"; content:"enter your Piratebay user and pass below"; distance:0; content:"If u don't have an PirateBay"; distance:0; fast_pattern; metadata: former_category PHISHING; reference:url,securelist.com/piratebay-malware/89740/; classtype:trojan-activity; sid:2027081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Major, created_at 2019_03_13, malware_family PirateMatryoshka, performance_impact Low, updated_at 2019_03_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Obfuscation - Possible Phishing 2016-03-01"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern:31,20; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; metadata: former_category PHISHING; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_01, updated_at 2017_10_13;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; content:"GET"; http_method; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; http_uri; fast_pattern; pcre:"/^https?:\/\//RU"; metadata: former_category WEB_CLIENT; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:2; metadata:affected_product Wordpress_Plugins, deployment Perimeter, cve 2019_9978, signature_severity Major, created_at 2019_05_03, performance_impact Low, updated_at 2019_05_03;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)"; flow:established,to_server; content:"POST"; http_method; content:"/rest/tinymce/1/macro/preview"; http_uri; fast_pattern; isdataat:!1,relative; content:"|22|contentId|22|"; http_client_body; depth:20; content:"|22|_template|22 3a|"; http_client_body; distance:0; metadata: former_category WEB_CLIENT; reference:url,packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html; classtype:attempted-admin; sid:2027333; rev:2; metadata:deployment Perimeter, deployment Internal, signature_severity Major, created_at 2019_05_08, performance_impact Low, updated_at 2019_09_28;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014729; rev:5; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017122; rev:4; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player malware binary requested"; flow:established,to_server; content:"&filename=Flash Player "; http_uri; content:".exe"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017123; rev:4; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; content:"/styles/javaupdate.css"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017845; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_13, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017846; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_13, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; content:"windows-firewall.png"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019598; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019599; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2020588; rev:3; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING|3a| Your PC may have a serious virus!"; content:"assistance removing malicious viruses"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2020589; rev:3; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - Alert"; flow:established,to_client; file_data; content:"<title>WARNING - SECURITY ALERT</title>"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020710; rev:3; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - png"; flow:established,to_server; content:"gp-warning-img.png"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020711; rev:3; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT</title>"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021177; rev:3; metadata:created_at 2015_06_03, updated_at 2015_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"<title>MICROSOFT WINDOWS SECURITY ALERT</title>"; nocase; fast_pattern; content:"<title>WARNING: VIRUS CHECK</title>"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021181; rev:3; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"<title>WARNING: VIRUS CHECK</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021182; rev:3; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021183; rev:3; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021206; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021207; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M1"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>*** Security Error Code 0x80070424</title>"; fast_pattern:29,20; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021255; rev:4; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern:10,20; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021256; rev:3; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern:9,20; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021258; rev:3; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021285; rev:3; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021286; rev:4; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021288; rev:3; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M1"; flow:established,to_client; file_data; content:"/Alert_files/"; nocase; fast_pattern; content:"Due to a third party application"; nocase; distance:0; content:"iOS is crashed"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021294; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021295; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".php?cid="; http_uri; fast_pattern; content:"-w"; distance:0; http_uri; pcre:"/\.php\?cid=[0-9]+?-w[A-Z0-9]{23}$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021357; rev:5; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M2"; flow:established,to_client; file_data; content:"<title>SCANNING.."; fast_pattern; content:"myFunction|28 29|"; distance:0; content:"virus"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021358; rev:3; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021359; rev:3; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern:11,20; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021365; rev:3; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021366; rev:3; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M5"; flow:established,to_server; content:"GET"; http_method; content:"isp="; http_uri; content:"&browser="; distance:0; http_uri; content:"&browserversion"; http_uri; distance:0; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&osversion="; http_uri; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021367; rev:3; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021368; rev:4; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; content:"GET"; http_method; content:"index.html?city="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021447; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021449; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021500; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Sept 21 2015"; flow:established,to_client; file_data; content:"malware error 895-system 32.exe"; nocase; fast_pattern; content:"RESOLVE THE ISSUE ON TOLL FREE - 1-855-"; nocase; content:"DO NOT SHUT DOWN OR RESTART"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021811; rev:3; metadata:created_at 2015_09_22, updated_at 2015_09_22;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021963; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern:8,20; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021964; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern:8,20; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021965; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern:6,20; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021966; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021967; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021974; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021975; rev:3; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,threatglass.com/malicious_urls/funu-info; classtype:trojan-activity; sid:2022010; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern:10,20; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022011; rev:3; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022012; rev:3; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022013; rev:3; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern:7,20; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022030; rev:3; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022031; rev:5; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022032; rev:4; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern:21,20; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022033; rev:3; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022079; rev:3; metadata:created_at 2015_11_12, updated_at 2015_11_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022092; rev:3; metadata:created_at 2015_11_16, updated_at 2015_11_16;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022103; rev:3; metadata:created_at 2015_11_16, updated_at 2015_11_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022125; rev:3; metadata:created_at 2015_11_20, updated_at 2015_11_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022319; rev:3; metadata:created_at 2015_12_30, updated_at 2015_12_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022320; rev:3; metadata:created_at 2015_12_30, updated_at 2015_12_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022364; rev:3; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022365; rev:6; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022366; rev:3; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022409; rev:3; metadata:created_at 2016_01_26, updated_at 2016_01_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022410; rev:3; metadata:created_at 2016_01_26, updated_at 2016_01_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022525; rev:3; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022526; rev:3; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022527; rev:3; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022528; rev:3; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022530; rev:3; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022602; rev:3; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022603; rev:3; metadata:created_at 2016_03_08, updated_at 2016_03_08;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022605; rev:3; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022606; rev:3; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022607; rev:3; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022608; rev:3; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022619; rev:3; metadata:created_at 2016_03_15, updated_at 2016_03_15;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022649; rev:3; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022651; rev:3; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022695; rev:3; metadata:created_at 2016_04_01, updated_at 2016_04_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022802; rev:3; metadata:created_at 2016_05_11, updated_at 2016_05_11;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022853; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022854; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022855; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022856; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022857; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022926; rev:3; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022927; rev:3; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022928; rev:3; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_03, performance_impact Low, updated_at 2017_02_03;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; metadata: former_category WEB_CLIENT; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; metadata: former_category WEB_CLIENT; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:trojan-activity; sid:2024305; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, updated_at 2017_05_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (warning.mp3) Jan 24 2017"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"warning.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024365; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_06_08, malware_family Tech_Support_Scam, performance_impact Moderate, updated_at 2017_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M2 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"microsoft official support"; nocase; within:50; fast_pattern:6,20; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024444; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M1 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"security error 0x00759b"; nocase; within:50; fast_pattern:3,20; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024445; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M3 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"virus warning alert"; nocase; within:50; fast_pattern; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024446; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Tech Support Phone Scam Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"official apple support"; nocase; within:50; fast_pattern:2,20; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024447; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M4 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"windows official support"; nocase; within:50; fast_pattern:4,20; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024448; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe - Update Adobe Flash Player</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player Update</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024644; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024645; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player|20 7c 20|Free Download</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024646; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player Update</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024647; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player is outdated</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>flash player might be outdated</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern:5,20; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_08, updated_at 2017_09_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam Landing M1 Oct 13 2017"; flow:established,to_client; file_data; content:"<title>Windows Defender</title>"; nocase; fast_pattern; content:"background-color|3a 20|#659e1d"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_10_13, updated_at 2017_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Oct 16 2016"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm="; nocase; http_header; content:"Error"; http_header; nocase; distance:0; fast_pattern; content:"-"; distance:0; http_header; pcre:"/^WWW-Authenticate\x3a\x20Basic\x20realm=[\x22\x27][^\r\n]*Error[^\r\n]*-/Hmi"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024844; rev:4; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:from_server,established;file_data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2024845; rev:3; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2018-01-10"; flow:from_server,established; file_data; content:"<title>Security Warning"; nocase; fast_pattern; content:"background-color:#d70000"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025197; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_01_10, updated_at 2018_01_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12"; flow:from_server,established; file_data; content:"|57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 41 6c 65 72 74 20 3a 20 5a 65 75 73 20 56 69 72 75 73 20 44 65 74 65 63 74 65 64 20 49 6e 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 20 21 21 3c 2f 68 31 3e|"; fast_pattern; nocase; content:"|3e 50 6c 65 61 73 65 20 44 6f 20 4e 6f 74 20 53 68 75 74 20 44 6f 77 6e 20 6f 72 20 52 65 73 65 74 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 2e 3c 2f 68 33 3e|"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025345; rev:3; metadata:created_at 2018_02_12, updated_at 2018_02_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Software Update Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Adobe - Update"; nocase; fast_pattern; content:"href=|22|flashfiles/"; nocase; distance:0; content:"src=|22|flashfiles/"; nocase; distance:0; content:"function getUrl(url)"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.malware-traffic-analysis.net/2018/07/05/index.html; classtype:trojan-activity; sid:2025715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2018-07-18"; flow:established,to_client; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|Microsoft has detected suspicious activity"; http_header; fast_pattern; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025831; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Major, created_at 2018_07_18, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"Microsoft Windows Notification"; nocase; fast_pattern; content:"<audio autoplay=autoplay loop id=audio>"; nocase; distance:0; content:".mp3 type=audio/mpeg"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025908; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"href=|22|./files/alert.css"; nocase; content:"<audio autoplay=|22|autoplay|22 20|loop=|22|"; nocase; fast_pattern; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Internet Security Alert"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"<title>Windows Defender"; nocase; fast_pattern; content:"<audio id=|22|play|22 20|loop="; nocase; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Windows Defender Alert"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2025910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam Landing 2018-09-12"; flow:established,to_client; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<strong>VIRUS ALERT FROM MICROSOFT"; nocase; distance:0; content:"<audio autoplay=|22|autoplay|22|"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2026111; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_09_12, updated_at 2018_09_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"alert|28 22|Windows|20|Firewall|20|has|20|detected|20|that|20|your|20|Windows"; fast_pattern; content:"system|20|files|20|are|20|automatically|20|deleted"; distance:0; within:200; content:"Please|20|follow|20|the|20|instructions"; distance:0; within:200; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2027197; rev:2; metadata:tag Tech_Support_Scam, tag Malvertising, created_at 2019_04_15, updated_at 2019_04_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M2 2019-04-15"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"createOscillator|28 29|"; content:"createGain|28 29|"; distance:0; content:"|3e|System|20|Warning!|3c 2f|span|3e|"; distance:0; fast_pattern; content:"|3c|b|3e|Windows|20|Version"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2027198; rev:2; metadata:tag Tech_Support_Scam, tag Malvertising, created_at 2019_04_15, updated_at 2019_04_15;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M2"; dns_query; content:"avirus"; fast_pattern; nocase; isdataat:100,relative; content:!"spotify.com"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022691; rev:5; metadata:created_at 2016_03_30, updated_at 2019_08_30;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb 29"; dns_query; content:"helpdesk"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022575; rev:4; metadata:created_at 2016_02_29, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb 29"; dns_query; content:"errorcode"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022576; rev:4; metadata:created_at 2016_02_29, updated_at 2019_08_30;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M1 Mar 3"; dns_query; content:"errorfound"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022591; rev:4; metadata:created_at 2016_03_03, updated_at 2019_08_30;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M2 Mar 3"; dns_query; content:"unattendedfile"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022592; rev:4; metadata:created_at 2016_03_03, updated_at 2019_08_30;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M3 Mar 3"; dns_query; content:"internetsituation"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022593; rev:4; metadata:created_at 2016_03_03, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15"; dns_query; content:"suspiciousactivity"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022625; rev:4; metadata:created_at 2016_03_16, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M1"; dns_query; content:"errorunauthorized"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022631; rev:4; metadata:created_at 2016_03_21, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M2"; dns_query; content:"drivercrashed"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022632; rev:4; metadata:created_at 2016_03_21, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M3"; dns_query; content:"computer-is-locked"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022633; rev:4; metadata:created_at 2016_03_21, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23"; dns_query; content:"unauthorized-transaction"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022648; rev:4; metadata:created_at 2016_03_23, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M1"; dns_query; content:"diskissue"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022690; rev:4; metadata:created_at 2016_03_30, updated_at 2019_08_30;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 4"; dns_query; content:"callasap"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022696; rev:4; metadata:created_at 2016_04_04, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb 29"; dns_query; content:"yourcomputer"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022739; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M1"; dns_query; content:"unusualactivity"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022740; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M2"; dns_query; content:"yoursystem"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022741; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M3"; dns_query; content:"howcanwehelp"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022742; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M4"; dns_query; content:"bluescreen"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022743; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M5"; dns_query; content:"cloud-on"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022744; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M6"; dns_query; content:"call-now"; fast_pattern; nocase; isdataat:100,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022745; rev:4; metadata:created_at 2016_04_18, updated_at 2019_08_30;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns_query; content:"secure.netsolhost.com"; depth:21; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category PHISHING; classtype:trojan-activity; sid:2022136; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_24, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; distance:0; within:25; content:"|20|EXECNUM|3d|"; distance:0; within:25; content:"|20|FEEDBACKADDR|3d|"; distance:0; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_09_06, updated_at 2019_09_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var _a"; depth:6; content:"|27 2c|_b"; distance:0; within:120; content:"|27 2c|_c"; distance:0; within:120; content:"|2c|TASKID|3d|"; distance:0; content:"|2c|MAGICNUM|3d|"; distance:0; within:25; content:"|2c|EXECNUM|3d|"; distance:0; within:25; content:"|2c|FEEDBACKADDR|3d|"; distance:0; within:25; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:27; within:11; metadata: former_category WEB_CLIENT; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027962; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_09_06, updated_at 2019_09_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; distance:0; within:120; content:"|27 2c|_c|3d 27|"; distance:0; within:120; content:"|27 2c|e|3d|"; distance:0; within:120; content:"|2c|t|3d|"; distance:0; within:10; content:"|2c|n|3d|"; distance:0; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; metadata: former_category WEB_CLIENT; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_09_06, updated_at 2019_09_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; distance:0; within:120; content:"|22 2c|_c|3d 22|"; distance:0; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; distance:0; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_09_06, updated_at 2019_09_09;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; content:".ass"; http_uri; nocase; flowbits:set,ET.ass.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010757; classtype:not-suspicious; sid:2010757; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; metadata: former_category EXPLOIT_KIT; classtype:bad-unknown; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_12, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_21, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND"; http_method; nocase; flowbits:set,ET.PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2019_09_27;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns_query; content:".connectioncdn.com"; nocase; isdataat:!1,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2028649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_10_04, malware_family CookieMonster, performance_impact Low, updated_at 2019_10_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; metadata: former_category WEB_CLIENT; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_05_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_05_10, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_05_04, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_11, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_08_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2019_10_07;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2017549; rev:3; metadata:created_at 2013_10_01, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_10_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_04, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_29, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_14, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; metadata: former_category WEB_CLIENT; classtype:bad-unknown; sid:2018172; rev:3; metadata:created_at 2014_02_25, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_03_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_12_12, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; content:"/Signed_Update.jar"; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_09_04, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Web_Client_Attacks, tag Metasploit, signature_severity Critical, created_at 2012_09_17, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_10_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_09_04, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; content:"/cart.php?site="; fast_pattern; http_uri; content:"&p="; http_uri; content:"&nm="; http_uri; metadata: former_category PHISHING; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:trojan-activity; sid:2019682; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_11_07, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_13, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_14, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_17, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_02_10, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_05_08, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern; metadata: former_category PHISHING; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, performance_impact Low, updated_at 2019_10_07;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; http_uri; fast_pattern; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:3; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_01_24, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; content:"application/hta|0d 0a|"; http_header; nocase; fast_pattern; metadata: former_category WEB_CLIENT; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; content:".hta"; nocase; http_uri; fast_pattern; content:"User-Agent|3a 20|Microsoft Office"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category WEB_CLIENT; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; metadata: former_category WEB_CLIENT; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_15, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data;  content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2025061; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data;  content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2025062; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2018_01_09, performance_impact Moderate, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; metadata: former_category WEB_CLIENT; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_26, updated_at 2019_10_07;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2021968; rev:4; metadata:created_at 2015_10_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_08_24, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Internet Security Damaged !!! Call Help Desk"; nocase; classtype:trojan-activity; sid:2028970; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_11_14, updated_at 2019_11_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Official Windows Notification"; nocase; fast_pattern; content:"Call Windows Technical Support"; nocase; distance:0; classtype:trojan-activity; sid:2028971; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_11_14, updated_at 2019_11_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Magecart Credit Card Information JS Script"; flow:established,to_client; content:"200"; http_stat_code; http_content_type; content:"application/javascript"; depth:22; isdataat:!1,relative; file_data; content:" Sxml_cc_cid"; nocase; content:"Sxml_cc_number"; nocase; distance:0; content:"Sxml_expiration_yr"; nocase; distance:0; content:"ccnum+|22 3b 22|+exp_m+|22 3b 22|+exp_y+|22 3b 22|+cvv"; distance:0; fast_pattern; nocase; metadata: former_category MALWARE; classtype:trojan-activity; sid:2029073; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_11_27, updated_at 2019_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT BottleEK Landing"; flow:established,to_client; content:"200"; http_stat_code; http_content_type; content:"text/html"; depth:9; isdataat:!1,relative; http_content_len; byte_test:0,<,1000,0,string,dec; file_data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; distance:0; isdataat:!1,relative; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2029122; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_12, updated_at 2019_12_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT BottleEK Plugin Check JS"; flow:established,to_client; content:"200"; http_stat_code; http_content_type; content:"application/javascript"; file_data; content:"hasFlash=0x1"; content:"flashVersion=parseInt(VSwf"; distance:0; fast_pattern; content:"new RegExp('MSIE|5c|x20(|5c|x5cd+|5c|x5c.|5c|x5cd+)|3b|')|3b|"; distance:0; content:"))|3b|if(user==''){setCookie("; distance:0; content:"'data':{'data1':chk,'data2':is64,'data3':fls"; distance:0; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2029123; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_12, updated_at 2019_12_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http_content_type; content:"application/octet-stream"; file_data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; metadata: former_category EXPLOIT_KIT; classtype:bad-unknown; sid:2029125; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_12, updated_at 2019_12_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BottleEK Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"/conn.php?ge="; depth:13; fast_pattern; http_uri; content:"username="; http_cookie; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2029126; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_12, updated_at 2019_12_12;)

alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns_query; content:".sslproviders.net"; nocase; isdataat:!1,relative; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2029268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_01_13, malware_family CookieMonster, performance_impact Low, updated_at 2020_01_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code"; flow:established,to_client; file_data; content:"src="; nocase; content:"file|3a 2f 2f 2f 5c 5c|"; distance:0; nocase; fast_pattern; within:10; content:"|5f|C$|5f|"; nocase; distance:0; within:50; content:"visibility|3a|"; nocase; distance:0; within:50; content:"hidden"; distance:0; within:8; content:"src="; pcre:"/^\s*[\x22\x27]\s*file\x3a\x2f\x2f\x2f\x5c\x5c[^\x20]+\x5cC\$\x5c\s*[\x22\x27]/Rsi"; metadata: former_category WEB_CLIENT; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:attempted-user; sid:2029329; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_01_29, updated_at 2020_01_29;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"finance-usbnc.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029354; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"system-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029355; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"service-issues.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029356; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"inztaqram.ga"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029357; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"bahaius.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029358; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"malcolmrifkind.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029359; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"instagram-com.site"; fast_pattern; metadata: former_category WEB_CLIENT; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"recovery-options.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029361; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"accounts-drive.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"acconut-verify.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029363; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"customers-activities.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029364; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"yah00.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029365; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"service-activity-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029366; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"skynevvs.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029367; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"drive-accounts.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029368; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"cpanel-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029369; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"two-step-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029370; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"seisolarpros.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"phonechallenges-submit.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"customers-service.ddns.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029373; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"leslettrespersanes.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029374; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"software-updating-managers.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029375; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"niaconucil.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029376; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"w3-schools.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029377; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"unirsd.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029378; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls_cert_subject; content:"isis-online.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:trojan-activity; sid:2029379; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_02_05, performance_impact Low, updated_at 2020_02_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; content:"Content-Type|3a 20|multipart/related"; fast_pattern; http_header; file_data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; metadata: former_category WEB_CLIENT; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:5; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_15, performance_impact Low, updated_at 2020_03_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; http_content_type; content:"text/html"; depth:9; file_data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2022697; rev:5; metadata:created_at 2016_04_04, updated_at 2020_03_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam 2020-03-24"; flow:established,to_client; file_data; content:"<title>Microsoft _Official_Support"; metadata: former_category WEB_CLIENT; classtype:trojan-activity; sid:2029733; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_03_24, updated_at 2020_03_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2020-04-10"; flow:established,to_client; file_data; content:"<title>Windows_Official_Support"; nocase; fast_pattern; classtype:trojan-activity; sid:2029857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WSO 2.5</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029861; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029859; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT X-Sec Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029863; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ALFA TEaM Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"ALFA TEaM Shell - v"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029865; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029867; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029869; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Kageyama Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029871; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029873; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MINI MO Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029875; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_10, updated_at 2020_04_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029882; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_13, updated_at 2020_04_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029884; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_13, updated_at 2020_04_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Anonymous Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029886; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2020_04_13, updated_at 2020_04_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mini Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029888; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_13, updated_at 2020_04_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029890; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_13, updated_at 2020_04_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029900; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029902; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file_data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029904; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Owl PHPMailer Accessed on External Server"; flow:established,to_client; file_data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029906; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029908; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029916; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_15, updated_at 2020_04_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029918; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_15, updated_at 2020_04_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WSO 2.6</title>"; nocase; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029934; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029936; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029938; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029940; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; metadata: former_category WEB_CLIENT; classtype:web-application-attack; sid:2029942; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029944; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029948; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_04_17, updated_at 2020_04_17;)