|
Written by Matt Jonkman
|
|
Wednesday, 13 February 2008 |
|
Three interesting sigs in from Akash Mahajan of Stillsecure this morning. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Aurigma Image Uploader ImageUploaer4.ocx ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"0x40000"; content:"Acton"; nocase; content:"clsid"; nocase; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase; classtype:web-application-attack; reference:bugtraq,27539; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007815; rev:2;) The above replaces the previous sig which was just looking for the CLSID. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.
0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F5
6F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/
5086; reference:url,www.milw0rm.com/exploits/5100; classtype:web-application-attack; sid:2007847; rev:1;) For the Sony exploit, and finally: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit"; flow:to_client,established; content:"clsid"; nocase; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; nocase; content:"0x40000"; content:"FindEngine"; nocase; reference:url,www.milw0rm.com/exploits/5087; reference:bugtraq,24426; classtype:web-application-attack; sid:2007848; rev:1;) Thanks for submitting these Akash. As always, please report any issues or feedback. Matt |
|
Last Updated ( Monday, 18 February 2008 )
|
|
|
Written by Matt Jonkman
|
|
Tuesday, 12 February 2008 |
|
In keeping with recent tradition we've got a new signature out for the recent wave of Storm crud. It's simple, but the feedback from the New Years and subsequent signatures has been very positive. Note: Storm doesn't exploit any particular vulnerability to spread. (Unless you consider clicking users a true vulnerability). This signature just detects an HTTP request for /valentine.exe, of which the current wave is taking form. http://doc.emergingthreats.net/bin/view/Main/2007835 We'll drop this in a week or two, likely to be replaced by Easter stuff. My official prediction: /happyeaster.exe... Matt |
|
|
Written by Matt Jonkman
|
|
Tuesday, 05 February 2008 |
|
http://www.emergingthreats.net/fwrules/ We've added the known RBN networks to the firewall rules available at the above link. Those are all updated every 24 hours. The RBN nets IPs will update as we add them. We find a few a month generally, so it's worth updating them regularly. We've also added support for Cisco Pix firewalls as well. The filenames should be self-explanatory, you can use individual sets or all in one. If you're not familiar, these are files you can include in regular firewall updates with preconfig'd sets for IPF, IP, IPTables, and Cisco Pix. Sources include the DShield Top 20 Attackers, Shadowserver's Active C&C list, the Spamhaus DROP list, and now the known RBN networks. Please report any issues! Matt |
|
Last Updated ( Tuesday, 05 February 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 25 - 28 of 49 |
