[Emerging-Sigs] Three New sigs
Matt Jonkman
jonkman at jonkmans.com
Wed Feb 13 14:05:48 EST 2008
Three interesting sigs in from Akash Mahajan of Stillsecure this morning.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Aurigma Image Uploader ImageUploaer4.ocx ActiveX Control
Buffer Overflow Attempt"; flow:to_client,established; content:"0x40000";
content:"Acton"; nocase; content:"clsid"; nocase;
content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase;
classtype:web-application-attack; reference:bugtraq,27539;
reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007815; rev:2;)
The above replaces the previous sig which was just looking for the CLSID.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT
Sony ImageStation (SonyISUpload.cab 1.0.
0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established;
content:"0x40000"; nocase; content:"E9A7F5
6F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase;
reference:url,www.milw0rm.com/exploits/
5086; reference:url,www.milw0rm.com/exploits/5100;
classtype:web-application-attack; sid:2007847; rev:1;)
For the Sony exploit, and finally:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll
4.0.4.3303) remote BoF exploit"; flow:to_client,established;
content:"clsid"; nocase; content:"EEE78591-FE22-11D0-8BEF-0060081841DE";
nocase; content:"0x40000"; content:"FindEngine"; nocase;
reference:url,www.milw0rm.com/exploits/5087; reference:bugtraq,24426;
classtype:web-application-attack; sid:2007848; rev:1;)
Thanks for submitting these Akash. As always, please report any issues
or feedback.
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list