Snort mailing list archives
Rule 13573 question
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 5 Oct 2011 08:30:47 -0600
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Outlook arbitrary command line attempt "; flow:from_server,established; content:"mailto|3A|"; nocase; pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi"; reference:cve,2008-0110; reference:url,www.microsoft.com/technet/security/bulletin/MS08-015.mspx; classtype:misc-attack; sid:13573; rev:4;) In looking at the MS bulletin, this is an Outlook client issue yes? Do people run Outlook over port 80? Anyways, the below link will fire this one off. http://static.meteorsolutions.com/metsol.js James
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 13573 question Lay, James (Oct 05)
- Re: Rule 13573 question Alex Kirk (Oct 05)