[Emerging-Sigs] Multiple Sigs

Kevin Ross kevross33 at googlemail.com
Wed Oct 13 15:52:17 EDT 2010


Sigs for various things. Regards, Kev

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible Oracle Java APPLET Tag Children Property Memory Corruption
Attempt"; flow:established,to_client; content:"APPLET"; nocase;
content:"children"; fast_pattern; nocase; distance:0;
content:"location.reload"; nocase; within:100; classtype:attempted-user;
reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,
www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html;
sid:19340001; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Embedded Executable File in PDF, This Program Cannot Be Run in DOS Mode";
flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"This
program cannot be run in DOS mode"; nocase; distance:0;
classtype:bad-unknown; sid:19340002; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
Microsoft Office mshtmled.dll HtmlDlgHelper Class Memory Corruption
Attempt"; flow:established,to_client; content:"clsid"; nocase;
content:"3050F4E1-98B5-11CF-BB82-00AA00BDCE0B"; nocase; distance:0;
content:"CHtmlDlgHelper"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4E1-98B5-11CF-BB82-00AA00BDCE0B/si";
classtype:attempted-user; reference:url,
www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption;
reference:cve,2010-3329; sid:19340003; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client;
content:"PDF-"; depth:300; nocase; content:"x-shockwave-flash"; nocase;
distance:0;
pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i";
classtype:bad-unknown; sid:19340004; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Trend
Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution
Attempt"; flow:established,to_client; content:"clsid"; nocase;
content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0;
content:"extSetOwner"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si";
classtype:attempted-user; reference:url,
www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/;
sid:19340005; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run
Code"; flow:established,to_client; content:"PDF-"; nocase; depth:300;
content:"app.setTimeOut("; nocase; distance:0; classtype:bad-unknown;
reference:url,
www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4;
reference:url,
www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4;
sid:19340006; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101013/00947095/attachment.html


More information about the Emerging-sigs mailing list