Snort mailing list archives
Re: coughing up water on FP and notifications
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 1 Apr 2011 08:31:02 -0400
On Fri, 1 Apr 2011 13:59:25 +0200, Crusty Saint wrote:
For http://www.snort.org/search/sid/3-15114 is see repeated alerts but this confuses me. From what i've read this should mean there is an actual exploit being executed. From what i think to understand this means there is a vulnerable service accessible OR there is actually code being run against a vulnerable service. Based on the specific rule i'm assuming this is most likely and indeed bad news.
That rule is for a client-side Internet Explorer issue. When IE gets data from an embedded object on a web page, it doesn't deal with it properly, so if that object is malformed in some way it is possible to add some extra goodness to it that is then executed on the client. However, the stack execution is only possible on certain versions of IE and the underlying OS is also important. IE 5.x on Win2k is certainly exploitable in this way, but IE 6 on the same platform isn't (even though you can still overwrite a tiny little bit of the stack). For IE 6 on WinXP though, the result of the attack is a denial of service. Newer versions of IE are not vulnerable at all. I'm sure you've looked at the references that come with that rule: http://www.microsoft.com/technet/security/bulletin/MS08-073.mspx http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4261 -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- coughing up water on FP and notifications Crusty Saint (Apr 01)
- Re: coughing up water on FP and notifications Nigel Houghton (Apr 01)