[Emerging-Sigs] Custom Rules
Matt Jonkman
jonkman at jonkmans.com
Wed Feb 6 10:09:26 EST 2008
Nice sigs Chandan, will post these momentarily. Thanks!
Matt
S Chandan wrote:
> 7066::web-attacks.rules::alert tcp $EXTERNAL_NET $HTTP_PORTS ->
> $HOME_NET any (msg:"Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure
> Method Vulnerability"; flow:to_client,established; content:"CLSID";
> nocase; content:"A934AEE3-8896-485F-8A55-ACF2A87BD010"; nocase;
> pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"SavePkcs8File";
> nocase; distance:0; within:40; classtype:web-application-attack;
> reference:bugtraq,27540; reference:url,www.milw0rm.com/exploits/5028;
> sid:7066; rev:1;)
>
> 7067::web-attacks.rules::alert tcp $EXTERNAL_NET $HTTP_PORTS ->
> $HOME_NET any (msg:"Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure
> Method Vulnerability"; flow:to_client,established; content:"CLSID";
> nocase; content:"2A9A3D40-2F32-45BF-9A89-AC9ED6C2FEDF"; nocase;
> pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"SaveLastError";
> nocase; distance:0; within:40; classtype:web-application-attack;
> reference:bugtraq,27493; reference:url,www.milw0rm.com/exploits/5005;
> sid:7067; rev:1;)
>
> Regards,
> Chandan S
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list