[Emerging-Sigs] sid 2003212, from WORD documents
Matt Jonkman
jonkman at jonkmans.com
Wed Apr 16 14:03:58 EDT 2008
Hi Lee. I talked to shirkdog, and he doesn't recall the original
research. But is sure these are FPs. The sig was originally target for
the specific exploit way back when.
I'm going to drop the sig, it's not applicable anymore. Thanks for
bringing up the issue.
Matt
Lee Clemens wrote:
> Hello all,
>
> I have encountered a couple of these alerts recently and saw that Shirkdog
> noted this rule was "out for testing. Please report experiences".
>
> This rule was triggered while I accessed OWA and saved a specific file
> attached to and email, in an HTTP/1.1 200 OK message.
>
> The message (readable) has "Expires: Sun, 13 Apr 2008 00:50:00 GMT" and
> continues with "54 0D 0A 0D 0A D0 CF 11 E0 A1". The "T" in "GMT" is the
> start of the signature's first 'content' byte: 54.
>
> I hope that helps, but please let me know what other information may be
> useful in tuning this rule or determining the status of a potentially
> as-of-yet unknown Word vulnerability.
>
> Kind Regards,
> Lee
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list