Re: Snort rule for IE / VML issue

[Chris Green <cmgreen () UAB EDU>]

You should be using content and not uri content.  I would shorten the
signature to only v="urn:schemas-microsoft-com:vml" to get by some of
the easier evasions such as <html >

 

It's been a while since I did snort, but the http preprocessor will
alert only on HTTP requests, not responses.  Also, there is a httpflow
preprocessor that says "only look at the first N bytes of a response.
You'll want to disable that to alert on those attacks.

 

I don't think this signature should ever go off. 

 

________________________________

From: Chris Harrington [mailto:chris () INFOSECPODCAST COM] 
Sent: Tuesday, September 19, 2006 9:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Snort rule for IE / VML issue

 

All,

 

I've put together a Snort rule / sig for the VML vulnerability in
Internet Explorer. ***NOTE**** this signature is rough and will have
false positives that will detect / block on ANY web page that uses the
VML schema. This is only meant to be temporary until MS fixes the issue.
Also note that this will not protect you from HTML email attacks in
Outlook, unless the attacker has an external link in the email. 

 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"Possible
MSIE VML Exploit"; flow:established,from_server; uricontent:"<html
xmlns:v="urn:schemas-microsoft-com:vml">"; nocase;
reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exp
loit-being.html; classtype:misc-attack; rev:1;)

 

If you have any questions please let me know.

 

--Chris

 

  <http://feeds.feedburner.com/Wwwinfosecpodcastcom>