[Emerging-updates] Daily Ruleset Update Summary 12/30/2012 (Weekend Update Thanks For the "Pointer" Edition)

Will Metcalf wmetcalf at emergingthreatspro.com
Sun Dec 30 20:50:52 HAST 2012

[***]          Summary          [***]

Just a small update to one of the IE 0-day sigs and a couple of sigs to
catch EIP in the URI as described here.


Both the orginal exploit and Metasploit both pass EIP via window.location
which ends up sending a relative request to originating server with the EIP
in the URI. Adding a couple of rules for this. Had a bit of trouble with
normalization of the uri's so pardon the http_raw_uri's on snort until I
figure out what I did wrong :)...

GET /%E0%AC%B0%E0%B0%8Chttps://www.google.com/settings/account HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: ready.player.one
Connection: Keep-Alive

 [+++]          Added rules:          [+++]

  2016136 - ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8
  2016137 - ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)

 [///]     Modified active rules:     [///]

  2016132 - ET CURRENT_EVENTS Escaped Unicode Char in Window Location
CVE-2012-4792 EIP (current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20121231/e246865d/attachment.html>

More information about the Emerging-updates mailing list