Simple to fix. It needs a check for the OLE flowbit (which we didn&#39;t have at the time.<br><br><div class="gmail_quote">On 14 October 2011 16:09, Lay, James <span dir="ltr">&lt;<a href="mailto:james.lay@wincofoods.com">james.lay@wincofoods.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">This rule:<br>
<br>
alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt&quot;; flow:established,to_client; content:&quot;|47 CA FF|&quot;; content:&quot;|3E C6 FF|&quot;; distance:0; isdataat:84,relative; content:!&quot;|0A|&quot;; within:84; reference:url,<a href="http://www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/" target="_blank">www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/</a>; reference:url,<a href="http://www.microsoft.com/technet/security/Bulletin/MS10-056.mspx" target="_blank">www.microsoft.com/technet/security/Bulletin/MS10-056.mspx</a>; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:2;)<br>

<br>
fires on flv and swf files…according to the exploit it’s for Word docs (RTF is specifically called out).  Unless I’m reading it wrong ☺<br>
<br>
James<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</blockquote></div><br>