[Snort-sigs] Microsoft IFrame vulnerability

Chris Mills securinate at ...2420...
Thu Dec 2 05:50:01 EST 2004


Hi all-
Yesterday, microsoft released the patch for the IFrame exploit, but
I'm looking for a good signature to detect it still. Given the
randomness of the way they are doing this exploit, it seems the only
common string in these http documents to look for is "iframe." Please
lend some advice for signatures for this that will reduce false
positives. A good source of info on this is at
http://www.vitalsecurity.org/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf

Thanks,
Chris




More information about the Snort-sigs mailing list