[Emerging-Sigs] Sig for MS Office Snapshot
Matt Jonkman
jonkman at jonkmans.com
Mon Jul 14 10:07:12 EDT 2008
I'm afraid this one will FP too often. Looks like it'll trip on just
normal access. Anyone know more about it to say for sure?
We need a better content anchor before that pcre as well. Anything there
we could add?
Matt
chandan wrote:
> Signature for Microsoft Office Snapshot Viewer ActiveX control.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Snapshot
> Viewer for Microsoft Access ActiveX Control Arbitrary File Download";
> flow:to_client,established; content:"clsid"; nocase;
> pcre:"/(F0E42D50-368C-11D0-AD81-00A0C90DC8D9|F0E42D60-368C-11D0-AD81-00A0C90DC8D9|F2175210-368C-11D0-AD81-00A0C90DC8D9)/i";
> pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i";
> pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114;
> reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;
> reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html;
> classtype:web-application-attack; sid:9003; rev:1;)
>
> Regards,
> Chandan
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list