[Emerging-Sigs] Sig for MS Office Snapshot
Matt Jonkman
jonkman at jonkmans.com
Mon Jul 14 10:59:38 EDT 2008
Ya, it ought to be 3 sigs. But I don't think there's anything to
indicate exploit vs just normal access to the clsid.
May be wrong there though.
Matt
Frank Knobbe wrote:
> On Mon, 2008-07-14 at 10:07 -0400, Matt Jonkman wrote:
>> I'm afraid this one will FP too often. Looks like it'll trip on just
>> normal access. Anyone know more about it to say for sure?
>>
>> We need a better content anchor before that pcre as well. Anything there
>> we could add?
>
> I would make three sigs out of it, each anchored with a content on each
> CLSID.
>
> -Frank
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list