Re: SID 17458 matching EICAR rather than intended vuln.

[Joel Esler <jesler () sourcefire com>]

Jeff --

We're looking into this now.  Thanks for writing in.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Oct 21, 2011, at 10:49 AM, Jeff Jarmoc wrote:

> SID 17458 appears to be triggering on the EICAR anti-virus test
> pattern, rather than anything related to the vuln it references.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> BitDefender Internet Security script code execution attempt";
> flow:to_client,established; content:"|58 35 4F 21 50 25 40 41 50 5B 34
> 5C 50 5A 58 35|"; fast_pattern:only; metadata:policy balanced-ips
> drop, policy security-ips drop, service http; reference:cve,2009-0850;
> classtype:attempted-user; sid:17458; rev:2;)
>
> CVE-2009-0850 is for an XSS attack against BitDefender, using the
> filename of an infected file as a vector.  While it's possible that
> file could contain EICAR, it's not the EICAR pattern itself that
> triggers the exploit.
>
> Could it be someone was looking at a proof of concept that used EICAR
> and mistakenly wrote the sig to catch EICAR rather than the XSS in the
> filename?
>
> The sample I'm looking at does not have any XSS in the name.

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!