[Snort-sigs] [Fwd: CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer]

Chris Green cmg at ...26...
Mon Feb 25 19:06:03 EST 2002

Vjay LaRosa <vjayl at ...375...> writes:

> Does any one have a signature for this yet? Thanks!

Unfortunately, I can't think of a signature I couldn't work around
with a plausible exploit or not subject to a high false alarm rate.

# catch  possible EMBED attacks to mail clients -- this message will
# set it off 

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (content: "EMBED"; nocase; msg: "Possible
Embed Overflow"; flagse: A+; )

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (content: "EMBED"; nocase;
msg: "Possible Embed Overflow"; flags: A+; )

>>      <EMBED TYPE="audio/midi" SRC="/path/sound.mid"
> AUTOSTART="true">

I the only way I can really think of catching a rule like this would
have to involve a regular expression over a stream content which would
be a very slow operation unless we did a protcol/application decoder
that saw HTML and one could write rules that said

html_tag: "embed"; attribute: "src", value_length:....." or somehting

or something similar.  If anyone has any brainstorming ideas on how to
handle this, I'm all ears.

What will probably be done for this is wait for proof of concept and
see how it works but this does look like the type of stuff we want to
be able to allow plugins to be developed for in snort 2.0

Chris Green <cmg at ...26...>
Eschew obfuscation.

More information about the Snort-sigs mailing list