[Snort-sigs] New adobe vulnerability

Joseph Gama josephgama at ...144...
Thu Aug 19 13:18:20 EDT 2004

My rule was posted the same day as this posting and it
has no false positives:

alert tcp any any -> any any (msg:"Adobe
Acrobat/Acrobat Reader ActiveX Control Buffer Overflow
classtype:misc-activity; sid:2000000; rev:1;)

The problem with ".pdf|00|"; nocase; is that the zero
char is a string terminator in C and executables can
cause false positives. Plus my rule looks for the
whole exploit to make sure it's not a false positive.
I did forget the ip/ports and flow but that's easy to

--- Matthew Jonkman <matt at ...2436...> wrote:

> Just put this rule up on the bleedingsnort.com set
> for the new adobe 
> exploit detailed here:
> The rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> Adobe Acrobat Reader Malicious URL Null Byte"; 
> uricontent:".pdf%00"; classtype:web-attack;
> sid:2002001; rev:1;)
> I'm posting this because this just seems far too
> simple. I have to be 
> missing something. This look right to everyone?
> Matt
> SF.Net email is sponsored by Shop4tech.com-Lowest
> price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
> for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping
> and Free Gift.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net

Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

More information about the Snort-sigs mailing list