Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: coughing up water on FP and notifications

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 1 Apr 2011 08:31:02 -0400
On Fri, 1 Apr 2011 13:59:25 +0200, Crusty Saint wrote:


For http://www.snort.org/search/sid/3-15114 is see repeated alerts 
but this confuses me. From what i've read this should mean there is 
an actual exploit being executed. From what i think to understand 
this means there is a vulnerable service accessible OR there is 
actually code being run against a vulnerable service. Based on the 
specific rule i'm assuming this is most likely and indeed bad news.


That rule is for a client-side Internet Explorer issue. When IE gets 
data from an embedded object on a web page, it doesn't deal with it 
properly, so if that object is malformed in some way it is possible to 
add some extra goodness to it that is then executed on the client. 
However, the stack execution is only possible on certain versions of IE 
and the underlying OS is also important. IE 5.x on Win2k is certainly 
exploitable in this way, but IE 6 on the same platform isn't (even 
though you can still overwrite a tiny little bit of the stack). For IE 
6 on WinXP though, the result of the attack is a denial of service. 
Newer versions of IE are not vulnerable at all. 

I'm sure you've looked at the references that come with that rule:

 http://www.microsoft.com/technet/security/bulletin/MS08-073.mspx

 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4261

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: