Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Vulnerability CVE-2018-0950‏

From: אחיעד גלרנטר via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 15 Apr 2018 14:35:02 +0300
 hi,
i try to understand the SNORT rule for this cve:

CVE-2018-0950

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER
Microsoft Office Outlook 2003 OLE information disclosure attempt detected";
flow:to_server,established; file_data; content:"|78 9F 3E 22|",depth 4;
content:"Package"; content:"|5C 5C|",within 100;
content:"METAFILE",distance 0; metadata:policy max-detect-ips drop,policy
security-ips drop; service:smtp; reference:cve,2018-0950; reference:url,
portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE 2018-0950
<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE2018-0950>;
classtype:policy-violation; sid:46266; rev:1; )


Why did you mean by  content:"Package", and by  content:"METAFILE"?

why this appears in the SNORT rule? this is necessary?

Thanks,
Achiad

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: