[Snort-sigs] help with 2 rules
mkettler at ...189...
Wed Mar 2 13:32:33 EST 2005
At 04:07 PM 3/2/2005, Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
>I have no idea what this exploit is for??
>alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit
>ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established;
>content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:
>4,>,256,17,relative; content: "tRNS"; distance: 4; classtype:misc-attack;
It's an MSN messenger exploit based on corrupted PNG files:
You can only tell because the left the core security advisory ID in the
message part, but didn't include any references. It's one of the downsides
of bleeding-edge.. not all the rules are as readable as they could be..
Still, better a rule that can be improved than no rule at all..
More information about the Snort-sigs