alert (msg:"PNG File"; content:"|89|PNG|0D0A1A0A|"; depth:8; flowbits:noalert; flowbits:set,ispng; reference:url,www.png.org; fid:1;)
alert (msg:"JPEG File"; content:"|FF D8 FF|"; depth:3; flowbits:noalert; flowbits:set,isjpeg; reference:url,www.jpeg.org; fid:2;)
alert (msg:"PE File"; content:"MZ"; depth:2; byte_jump:4,60; content:"PE"; within:2; flowbits:noalert; flowbits:ispe; fid:3;)
alert (msg:"PE File with EntryPoint outside of code section"; content:"MZ"; depth:2; byte_jump:4,60; content:"PE"; within:2; byte_save:4,46,BaseOfData,relative; byte_test:4,>,BaseOfData,38,relative; fid:4;)
alert (msg:"PNG with PLTE chunk"; flowbits:isset,ispng; flowbits:set,ispngplte; flowbits:noalert; loop:4,"PLTE",big; start:8; fid:5;)
alert (msg:"PNG tRNS overflow"; flowbits:isset,ispng; flowbits:isnotset,ispngplte; loop:4,"tRNS",big; start:8; byte_test:4,>,256,-8,relative,big; fid:6;)
alert (msg:"Standard WMF"; byte_test:2,<,3,0,little; content:"|09 00|"; content:"|00 00|"; distance:12; within:2; flowbits:set,wmf; flowbits:noalert; fid:7;)
alert (msg:"Placeable WMF"; content:"|D7 CD C6 9A 00 00|"; depth:6; flowbits:set,wmf; flowbits:noalert; fid:8;)
alert (msg:"SETABORTPROC Escape function in WMF (possible MS06-001 exploit)"; flowbits:isset,wmf; content:"|26|"; content:"|09 00|"; distance:1; within:2; fid:9;)
alert (msg:"BMP with invalid bfOffBits (possible MS06-005)"; content:"BM"; depth:2; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; fid:10; rev:1;)
alert (msg:"OSX/Oomp-A"; content:"|FEEDFACE|"; depth:4; content:"oompa"; content:"kMDItemLastUsedDate|203e3d2024|time.this_month"; reference:url,www.ambrosiasw.com/forums/index.php?showtopic=102379; fid:11; rev:1;)