Sophie

Sophie

distrib > Mageia > 7 > i586 > media > core-release > by-pkgid > f6d3ed8bfd9b39f251600d80dca5d5d8 > files > 26

fwsnort-1.6.8-2.mga7.noarch.rpm

# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id$
#--------------
# NETBIOS RULES
#--------------



alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:538; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2465; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2466; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:536; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2467; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2468; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2469; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:533; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2470; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2471; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2472; rev:8;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:532; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2473; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2474; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2475; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:7;)

# where did these come from?  I don't know.  lets disable them for real for now
# and deal with it later...
### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:5;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2480; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2481; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2482; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2483; rev:6;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;)



# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;)
alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:9;)




alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:7;)







alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14;)
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:2382; rev:16;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:2383; rev:16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:7;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;)
alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;)
alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|73|"; distance:0; within:1; content:"|6d0000c0|"; distance:0; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:2;)
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|73|"; distance:0; within:1; content:"|6d0000c0|"; distance:0; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2932; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2994; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2976; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2939; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2958; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2937; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2971; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2944; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2972; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2936; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2953; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2979; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2961; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2960; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2948; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2949; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2930; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2931; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2970; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2965; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; distance:-36; within:1; classtype:protocol-command-decode; sid:2951; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2997; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2947; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2943; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2998; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2935; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2962; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2977; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2981; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2993; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2942; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2969; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2973; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2999; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2952; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2966; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2940; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2996; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2963; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2959; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2992; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2929; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2956; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2946; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2934; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2978; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2982; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2967; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2957; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2941; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2995; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; distance:-36; within:1; classtype:protocol-command-decode; sid:2950; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2974; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2938; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2964; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2980; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2983; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2933; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2945; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2928; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2968; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2975; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3004; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3003; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3005; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3002; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3000; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3001; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3051; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3044; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3047; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3054; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3057; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3048; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3050; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3046; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3053; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3043; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3042; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3052; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3045; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3056; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3055; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3049; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3109; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3092; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3111; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3100; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3114; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3119; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3127; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3096; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3123; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3110; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3117; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3108; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3098; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3095; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3121; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3103; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3102; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3099; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3126; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3118; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3124; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3116; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3113; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3120; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3129; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3091; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3094; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3105; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3107; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3115; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3125; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3093; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3112; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3101; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3097; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,104,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3128; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3090; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect overflow attempt"; flowbits:isset,smb.tree.bind.llsrpc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; byte_test:4,>,52,0,relative; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; sid:3122; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3104; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; within:16; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3106; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; content:"|07 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3135; rev:1;)
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flowbits:isset,smb.trans2; flow:established,to_client; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3144; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; content:"|01 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3141; rev:1;)
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flowbits:isset,smb.trans2; flow:established,to_client; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3143; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3140; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; content:"|01 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3139; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; content:"|07 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3137; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3142; rev:1;)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flowbits:isset,smb.trans2; flow:established,to_client; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3146; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|07 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3136; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|07 00|"; distance:29; within:2; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3138; rev:1;)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flowbits:isset,smb.trans2; flow:established,to_client; content:"|00|"; offset:0; depth:1; content:"|FF|SMB2"; distance:3; within:5; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3145; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3163; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3185; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3256; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3431; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3421; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3238; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning little endian attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3239; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3241; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3419; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3260; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3413; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3218; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3157; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3180; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3406; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3251; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3205; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3211; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3384; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|"; distance:22; within:16; content:"|00 00|"; distance:28; within:2; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:cve,2003-0717; reference:bugtraq,8826; classtype:attempted-admin; sid:3234; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3397; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3217; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3416; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3170; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3160; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3377; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3428; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3233; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3435; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3178; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3183; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3248; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3245; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3412; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3386; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3166; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3392; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3409; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3270; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3227; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3203; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3226; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3208; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3255; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:"|20|"; offset: 12; isdataat:56,relative; classtype:attempted-admin; reference:cve,2003-0825; reference:bugtraq,9624; sid:3196; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3430; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3389; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3174; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3275; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3265; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3415; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3268; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3156; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3439; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3162; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3186; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3230; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3383; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3250; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3231; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3216; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3378; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3171; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3427; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3402; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3264; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3423; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3222; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3204; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3210; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3240; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3396; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3247; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3259; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3411; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3223; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3405; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3244; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3385; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3380; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3184; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3440; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3426; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|"; distance:22; within:16; content:"|00 00|"; distance:28; within:2; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:cve,2003-0717; reference:bugtraq,8826; classtype:attempted-admin; sid:3235; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3189; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3179; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3254; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:"|20|"; offset: 12; isdataat:56,relative; classtype:attempted-admin; reference:cve,2003-0825; reference:bugtraq,9624; sid:3195; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3175; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3167; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3432; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3228; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3202; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3420; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3269; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3401; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3390; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3172; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3207; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3391; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3232; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; classtype:attempted-admin; sid:3158; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3224; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3258; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3176; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3379; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3213; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3422; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3262; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3436; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3190; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3165; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3243; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3425; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3418; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3395; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3246; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3408; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3253; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3198; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3215; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3394; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3263; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3433; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3187; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3236; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3181; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3168; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3414; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3388; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3382; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3229; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3276; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3429; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0F|"; distance:19; within:2; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3220; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3404; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3219; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3398; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3212; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3206; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3399; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3159; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3169; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3261; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3257; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3417; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3410; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3249; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3271; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 04|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3437; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3252; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3173; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3161; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3400; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 02|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3266; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3225; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3214; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3197; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3434; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3393; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flowbits:isset,dce.iactivation.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 00|"; distance:19; within:2; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3424; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0F 00|"; distance:19; within:2; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3221; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3242; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3182; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flowbits:isset,smb.tree.bind.irot; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|02 00|"; distance:19; within:2; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; classtype:protocol-command-decode; sid:3267; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3177; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3387; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3403; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3209; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3407; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; within:16; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3381; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,256,20,relative; classtype:attempted-admin; sid:3191; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flowbits:isset,dce.isystemactivator.bind; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|04 00|"; distance:19; within:2; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3438; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; within:16; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3237; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; distance:1; within:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; within:16; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3164; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flowbits:isset,smb.tree.bind.msqueue; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 01|"; distance:19; within:2; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:3188; rev:1; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx;)

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional