[Emerging-Sigs] Rule 2011478

Kevin Ross kevross33 at googlemail.com
Sat Oct 15 10:28:27 EDT 2011


Simple to fix. It needs a check for the OLE flowbit (which we didn't have at
the time.

On 14 October 2011 16:09, Lay, James <james.lay at wincofoods.com> wrote:

> This rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT
> Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt";
> flow:established,to_client; content:"|47 CA FF|"; content:"|3E C6 FF|";
> distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,
> www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/;
> reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx;
> reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user;
> sid:2011478; rev:2;)
>
> fires on flv and swf files…according to the exploit it’s for Word docs (RTF
> is specifically called out).  Unless I’m reading it wrong ☺
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111015/fe661e94/attachment.html


More information about the Emerging-sigs mailing list