Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule 13573 question

From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 5 Oct 2011 08:30:47 -0600
Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Microsoft Outlook arbitrary command line attempt ";
flow:from_server,established; content:"mailto|3A|"; nocase;
pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi";
reference:cve,2008-0110;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-015.mspx;
classtype:misc-attack; sid:13573; rev:4;)

 

In looking at the MS bulletin, this is an Outlook client issue yes?  Do
people run Outlook over port 80?  Anyways, the below link will fire this
one off.

 

http://static.meteorsolutions.com/metsol.js

 

James


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: