Snort mailing list archives
Re: SID 17458 matching EICAR rather than intended vuln.
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Oct 2011 16:36:44 -0400
Jeff -- We're looking into this now. Thanks for writing in. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 21, 2011, at 10:49 AM, Jeff Jarmoc wrote:
SID 17458 appears to be triggering on the EICAR anti-virus test pattern, rather than anything related to the vuln it references. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"|58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-0850; classtype:attempted-user; sid:17458; rev:2;) CVE-2009-0850 is for an XSS attack against BitDefender, using the filename of an infected file as a vector. While it's possible that file could contain EICAR, it's not the EICAR pattern itself that triggers the exploit. Could it be someone was looking at a proof of concept that used EICAR and mistakenly wrote the sig to catch EICAR rather than the XSS in the filename? The sample I'm looking at does not have any XSS in the name.
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SID 17458 matching EICAR rather than intended vuln. Jeff Jarmoc (Oct 21)
- Re: SID 17458 matching EICAR rather than intended vuln. Joel Esler (Oct 21)