Re: Microsoft .lnk vulnerability

[Joel Esler <jesler () sourcefire com>]

There was a rule published on July 13:

16665

Joel

On Jul 22, 2010, at 9:01 AM, John York wrote:

> Hi
> I've been watching the VRT blog and the lists to see if there are any rules or comments on the current 0day for MS 
> .lnk files (CVE-2010-2568, http://www.microsoft.com/technet/security/advisory/2286198.mspx).  I realize that an 
> internal infection from fileshares would be difficult to detect if your IDS is at the perimeter, but it would be 
> helpful in the event that a user has managed to map a drive to the outside.  I've seen a signature that looks for 
> .lnk files coming from web servers, but that's going to miss a lot and FP a lot.  Hopefully the current blog/pr war 
> isn't distracting everyone...
> Thanks
> John
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users