Snort mailing list archives
Microsoft Vulnerability CVE-2018-0950
From: אחיעד גלרנטר via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 15 Apr 2018 14:35:02 +0300
hi, i try to understand the SNORT rule for this cve: CVE-2018-0950 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected"; flow:to_server,established; file_data; content:"|78 9F 3E 22|",depth 4; content:"Package"; content:"|5C 5C|",within 100; content:"METAFILE",distance 0; metadata:policy max-detect-ips drop,policy security-ips drop; service:smtp; reference:cve,2018-0950; reference:url, portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE 2018-0950 <http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE2018-0950>; classtype:policy-violation; sid:46266; rev:1; ) Why did you mean by content:"Package", and by content:"METAFILE"? why this appears in the SNORT rule? this is necessary? Thanks, Achiad
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Microsoft Vulnerability CVE-2018-0950 אחיעד גלרנטר via Snort-sigs (Apr 15)