# ---------------
# EXPERIMENTAL RULES
# ---------------
# These signatures are experimental, new and may trigger way too often.
#
# Be forwarned, this is our testing ground.  We put new signatures here for
# testing before incorporating them into the default signature set.  This is
# for bleeding edge stuff only.
#
# This first one appears to be the one that actually works.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Experimental WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:2;)