Snort rule for IE / VML issue

[Chris Harrington <chris () INFOSECPODCAST COM>]

All,



I've put together a Snort rule / sig for the VML vulnerability in Internet
Explorer. ***NOTE**** this signature is rough and will have false positives
that will detect / block on ANY web page that uses the VML schema. This is
only meant to be temporary until MS fixes the issue. Also note that this
will not protect you from HTML email attacks in Outlook, unless the attacker
has an external link in the email.



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"Possible MSIE
VML Exploit"; flow:established,from_server; uricontent:"<html
xmlns:v="urn:schemas-microsoft-com:vml">"; nocase;
reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit
-being.html; classtype:misc-attack; rev:1;)



If you have any questions please let me know.



--Chris



 <http://feeds.feedburner.com/Wwwinfosecpodcastcom> InfoSecPodcast.com