[Emerging-Sigs] SIG: ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:42:51 EDT 2011


Thanks Kevin. Please post pedro!

Matt


On Oct 6, 2011, at 3:37 PM, Kevin Ross wrote:

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; classtype:attempted-user; reference:url,http://dl.packetstormsecurity.net/1109-advisories/sa45550.txt; sid:1234001; rev:1;)
> 
> Regards, Kev
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list