Educause Security Discussion mailing list archives
Snort rule for IE / VML issue
From: Chris Harrington <chris () INFOSECPODCAST COM>
Date: Tue, 19 Sep 2006 21:36:35 -0500
All, I've put together a Snort rule / sig for the VML vulnerability in Internet Explorer. ***NOTE**** this signature is rough and will have false positives that will detect / block on ANY web page that uses the VML schema. This is only meant to be temporary until MS fixes the issue. Also note that this will not protect you from HTML email attacks in Outlook, unless the attacker has an external link in the email. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"Possible MSIE VML Exploit"; flow:established,from_server; uricontent:"<html xmlns:v="urn:schemas-microsoft-com:vml">"; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit -being.html; classtype:misc-attack; rev:1;) If you have any questions please let me know. --Chris <http://feeds.feedburner.com/Wwwinfosecpodcastcom> InfoSecPodcast.com
Current thread:
- Snort rule for IE / VML issue Chris Harrington (Sep 19)
- <Possible follow-ups>
- Re: Snort rule for IE / VML issue Chris Green (Sep 20)
- Re: Snort rule for IE / VML issue Chris Harrington (Sep 20)