sid 15554

[yew chuan Ong <yewchuan_23 () yahoo com>]

Hi,

Hope someone can help me on this.

I am wondering why the description of this signature is as such:
"A vulnerability exists in the way that Internet Explorer handles ActiveX controls that may present an attacker with 
the opportunity to run code of their choosing on a host. In particular, this event is generated when a call to the 
Application Server 10g is made."

I thought it is to detect an attempt to exploit a format string vulnerability in OPMN. Any relation to IE and ActiveX?

Also, did anyone know why this sig was crafted as such:
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6000:6199] (msg:"ORACLE Oracle Application Server 10g OPMN service format 
string vulnerability exploit attempt"; flow:to_server,established; content:"HTTP"; nocase; 
pcre:"/^(GET|POST|HEAD)\s+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; 
metadata:policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0993; 
reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; 
classtype:attempted-admin; sid:15554; rev:2;)

Thanks!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!