Anonymously submitted sigs for the Adobe PDF Exploit of the day are now available. Please test and let us know how they go!
These are for http connections inbound. If we need them for other ports we can look at that. Email is a challenge of course because of mime encoding, but other things are possible.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt HTTP inbound"; flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream|0D 0A 00 00 00 01|"; distance:0; byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative; byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751; classtype:attempted-user; sid:2009112; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt HTTP inbound 2"; flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream|0A 00 00 00 01|"; distance:0; byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative; byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751; classtype:attempted-user; sid:2009113; rev:1;)
Matt
| < Prev | Next > |
|---|
