[Emerging-Sigs] Signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue

rmkml rmkml at free.fr
Thu Oct 28 06:28:22 EDT 2010


Hi Dave,
thx for this sig,
maybe I have a small comment: for first content, please change distance:0 to offset:0.
two work, but distance:0 on first place not work on suricata, if I remember correctly.
Regards
Rmkml


On Thu, 28 Oct 2010, dave richards wrote:

> Hi Matt,
> Please find the signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB-ATTACKS Microsoft Internet Explorer MSHTML FindText Processing Issue";
> flow:to_client,established; content:"type="; nocase; distance:0; content:"textRange."; nocase; distance:0; content:"findText("; nocase; distance:0;
> classtype:attempted-user; reference:cve,CVE-2010-2553; reference:url,exploit-db.com/exploits/15122;
> reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue; sid:20101020; rev:1;)
> Looking forward for your comments if any
> --
> Regards,
> Dave


More information about the Emerging-sigs mailing list