[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] SIG (RETESTED): ET CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing We
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2010-07-28 15:37:56
Message-ID: 4C504ED4.6090106 () jonkmans ! com
[Download RAW message or body]

Posted, ought to be good for the major wave of threats.

Thanks Kevin!

Matt

On 7/27/10 2:14 PM, Kevin Ross wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing WebDAV
> Arbitrary Code Execution Attempt"; flow:established,to_client;
> content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase;
> content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase;
> distance:0; content:"</D|3A|lockentry>"; nocase; distance:0;
> content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase;
> distance:0; classtype:attempted-user;
> reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918
> <http://tools.cisco.com/security/center/viewAlert.x?alertId=20918>;
> reference:url,www.kb.cert.org/vuls/id/940193
> <http://www.kb.cert.org/vuls/id/940193>;
> reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx
> <http://www.microsoft.com/technet/security/advisory/2286198.mspx>;
> reference:bid,41732; reference:cve,2010-2568; sid:1213001; rev:1;)
> 
> Works fine it seems. Kev

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

[prev in list] [next in list] [prev in thread] [next in thread]