[Snort-sigs] New adobe vulnerability

Matthew Jonkman matt at ...2436...
Wed Aug 18 09:06:10 EDT 2004


Just put this rule up on the bleedingsnort.com set for the new adobe 
exploit detailed here:
http://idefense.com/application/poi/display?id=126&type=vulnerabilities

The rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Adobe Acrobat Reader Malicious URL Null Byte"; 
reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; 
uricontent:".pdf%00"; classtype:web-attack; sid:2002001; rev:1;)

I'm posting this because this just seems far too simple. I have to be 
missing something. This look right to everyone?

Matt




More information about the Snort-sigs mailing list