Educause Security Discussion mailing list archives
Re: Snort rule for IE / VML issue
From: Chris Green <cmgreen () UAB EDU>
Date: Wed, 20 Sep 2006 08:43:51 -0500
You should be using content and not uri content. I would shorten the signature to only v="urn:schemas-microsoft-com:vml" to get by some of the easier evasions such as <html > It's been a while since I did snort, but the http preprocessor will alert only on HTTP requests, not responses. Also, there is a httpflow preprocessor that says "only look at the first N bytes of a response. You'll want to disable that to alert on those attacks. I don't think this signature should ever go off. ________________________________ From: Chris Harrington [mailto:chris () INFOSECPODCAST COM] Sent: Tuesday, September 19, 2006 9:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Snort rule for IE / VML issue All, I've put together a Snort rule / sig for the VML vulnerability in Internet Explorer. ***NOTE**** this signature is rough and will have false positives that will detect / block on ANY web page that uses the VML schema. This is only meant to be temporary until MS fixes the issue. Also note that this will not protect you from HTML email attacks in Outlook, unless the attacker has an external link in the email. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"Possible MSIE VML Exploit"; flow:established,from_server; uricontent:"<html xmlns:v="urn:schemas-microsoft-com:vml">"; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exp loit-being.html; classtype:misc-attack; rev:1;) If you have any questions please let me know. --Chris <http://feeds.feedburner.com/Wwwinfosecpodcastcom>
Current thread:
- Snort rule for IE / VML issue Chris Harrington (Sep 19)
- <Possible follow-ups>
- Re: Snort rule for IE / VML issue Chris Green (Sep 20)
- Re: Snort rule for IE / VML issue Chris Harrington (Sep 20)