Sigs for various things. Regards, Kev<br><br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt&quot;; flow:established,to_client; content:&quot;APPLET&quot;; nocase; content:&quot;children&quot;; fast_pattern; nocase; distance:0; content:&quot;location.reload&quot;; nocase; within:100; classtype:attempted-user; reference:url,<a href="http://code.google.com/p/skylined/issues/detail?id=18">code.google.com/p/skylined/issues/detail?id=18</a>; reference:url,<a href="http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html">www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html</a>; sid:19340001; rev:1;)<br>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Embedded Executable File in PDF, This Program Cannot Be Run in DOS Mode&quot;; flow:established,to_client; content:&quot;PDF-&quot;; nocase; depth:300; content:&quot;This program cannot be run in DOS mode&quot;; nocase; distance:0; classtype:bad-unknown; sid:19340002; rev:1;)<br>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET ACTIVEX Microsoft Office mshtmled.dll HtmlDlgHelper Class Memory Corruption Attempt&quot;; flow:established,to_client; content:&quot;clsid&quot;; nocase; content:&quot;3050F4E1-98B5-11CF-BB82-00AA00BDCE0B&quot;; nocase; distance:0; content:&quot;CHtmlDlgHelper&quot;; nocase; pcre:&quot;/&lt;OBJECT\s+[^&gt;]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4E1-98B5-11CF-BB82-00AA00BDCE0B/si&quot;; classtype:attempted-user; reference:url,<a href="http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption">www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption</a>; reference:cve,2010-3329; sid:19340003; rev:1;) <br>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF&quot;; flow:established,to_client; content:&quot;PDF-&quot;; depth:300; nocase; content:&quot;x-shockwave-flash&quot;; nocase; distance:0; pcre:&quot;/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i&quot;; classtype:bad-unknown; sid:19340004; rev:1;) <br>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt&quot;; flow:established,to_client; content:&quot;clsid&quot;; nocase; content:&quot;15DBC3F9-9F0A-472E-8061-043D9CEC52F0&quot;; nocase; distance:0; content:&quot;extSetOwner&quot;; nocase; pcre:&quot;/&lt;OBJECT\s+[^&gt;]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si&quot;; classtype:attempted-user; reference:url,<a href="http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/">www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/</a>; sid:19340005; rev:1;) <br>
<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code&quot;; flow:established,to_client; content:&quot;PDF-&quot;; nocase; depth:300; content:&quot;app.setTimeOut(&quot;; nocase; distance:0; classtype:bad-unknown; reference:url,<a href="http://www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4">www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4</a>; reference:url,<a href="http://www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4">www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4</a>; sid:19340006; rev:1;) <br>