#This is Firekeeper default rules file
#It can't be edited because it is replaced when Firekeeper is updated.


alert (msg:"Nortan antivirus sysmspam.dll load attempt"; body_content:"clsid|3A|"; nocase; body_content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase;  reference:bugtraq,9916; reference:cve,2004-0363; fid:2485; rev:4;)

alert (msg:"readme.eml autoload attempt"; body_content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; fid:1290; rev:10;)

alert (msg:"Javascript document.domain attempt"; body_content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; fid:1840; rev:7;)

#alert (msg:"Javascript URL host spoofing attempt"; body_content:"javascript|3A|//"; nocase; reference:bugtraq,5293; fid:1841; rev:5;)

alert (msg:"RealPlayer arbitrary javascript command attempt"; headers_content:"Content-Type|3A|"; nocase; headers_content:"application/smi"; nocase; headers_re:"/^Content-Type\x3a\s*application\x2fsmi/mi"; body_content:"file:javascript"; nocase; body_re:"/<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/i"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; fid:2437; rev:7;)

alert (msg:"RealPlayer playlist file URL overflow attempt"; url_re:"/\.ram$|\.rmp$|\.smi$|\.rt$|\.rp$/i"; body_content:"file|3A|//"; nocase; body_re:"/^file\x3a\x2f\x2f[^\n]{400}/im"; reference:bugtraq,9579; reference:cve,2004-0258; fid:2438; rev:5;)

alert (msg:"RealPlayer playlist http URL overflow attempt"; url_re:"/\.ram$|\.rmp$|\.smi$|\.rt$|\.rp$/i"; body_content:"http|3A|//"; nocase; body_re:"/^http\x3a\x2f\x2f[^\n]{400}/im"; reference:bugtraq,9579; reference:cve,2004-0258; fid:2439; rev:5;)

alert (msg:"RealPlayer playlist rtsp URL overflow attempt"; url_re:"/\.ram$|\.rmp$|\.smi$|\.rt$|\.rp$/i"; body_content:"rtsp|3A|//"; nocase; body_re:"/^rtsp\x3a\x2f\x2f[^\n]{400}/im"; reference:bugtraq,9579; reference:cve,2004-0258; fid:2440; rev:5;)

alert (msg:"local resource redirection attempt"; headers_content:"Location|3A|"; nocase; headers_content:"URL"; nocase;  headers_re:"/^Location\x3a\s*URL\s*\x3a/im"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; fid:2577; rev:3;)

alert (msg:"Content-Disposition CLSID command attempt"; headers_content:"Content-Disposition|3A|"; nocase; headers_re:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; fid:2589; rev:3;)

alert (msg:"winamp .cda file name overflow attempt"; body_content:".cda"; nocase; body_re:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; fid:3088; rev:1;)

alert (msg:"object type overflow attempt"; body_content:"<OBJECT"; nocase; body_re:"/<OBJECT\s+[^>]*type\s*=[\x22\x27][^>]*?\x2f{32}/smi"; reference:cve,2003-0344; fid:3149; rev:3;)


alert (msg:"Windows Media Player directory traversal via Content-Disposition attempt"; headers_content:"Content-Disposition|3A|"; nocase; headers_re:"/Content-Disposition\s*\x3a\s*filename=[^\x3b\x3a\r\n]*(%2e%2e%5c)/smi"; reference:cve,2003-0228; fid:3192; rev:1;)

alert (msg:"winhelp clsid attempt"; body_content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; body_re:"/<OBJECT\s+[^>]*classid\s*=\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; reference:bugtraq,4857; reference:cve,2002-0823; fid:3148; rev:2;)

alert (msg:"Outlook EML access"; url_content:".eml"; nocase;  url_re:"/\.eml$/i"; reference:nessus,10767; fid:1233; rev:11;)

alert (msg:"Microsoft emf metafile access"; url_content:".emf"; nocase; url_re:"/\.emf/i"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; fid:2435; rev:4;)

alert (msg:"Microsoft wmf metafile access";  url_content:".wmf"; nocase; url_re:"/\.wmf/i"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; fid:2436; rev:4; url_content: "wmf";)


#Dissabled by default - to many false positives.
#alert (msg:"JPEG parser heap overflow attempt"; headers_content:"image/"; nocase; headers_re:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; body_content:"|ff d8|"; nocase; body_re:"/\xFF\xD8.{2}/smi"; body_re:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; fid:2705; rev:4;)