alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt&quot;; flow:established,to_client; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; classtype:attempted-user; reference:bid,49933; reference:cve,2011-2841; sid:1330091; rev:1;)<br>
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 806 (msg:&quot;ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin&quot;; flow:established,to_server; content:&quot;.php?userid=&quot;; content:&quot;&amp;time=&quot;; distance:0; content:&quot;&amp;msg=&quot;; distance:0; content:&quot;&amp;ver=&quot;; distance:0; content:&quot;&amp;os=&quot;; distance:0; content:&quot;&amp;fy=&quot;; distance:0; content:&quot;&amp;pauid=&quot;; distance:0; content:&quot;&amp;checkId=&quot;; distance:0; classtype:trojan-activity; reference:url,<a href="http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20">http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20</a>; reference:url,<a href="http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/">http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</a>; sid:1232321; rev:1;)<br>
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin 2&quot;; flow:established,to_server; content:&quot;.asp?ver=&quot;; http_uri; content:&quot;&amp;tgid=&quot;; http_uri; content:&quot;&amp;address=&quot;; http_uri; content:&quot;&amp;flag=&quot;; http_uri; content:&quot;&amp;alexa=&quot;; http_uri; content:&quot;&amp;List=&quot;; http_uri; classtype:trojan-activity; reference:url,<a href="http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20">http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20</a>; reference:url,<a href="http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/">http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</a>; sid:1232322; rev:1;)<br>
<br>Regards, Kevin<br>