[Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows Media Player parsing

Jeff Kell jeff-kell at ...922...
Sat Feb 18 19:31:03 EST 2006


Russell Fulton wrote:
> I'm seeing lots of hits on this rule from all over the net.  Either
> there is a successful worm that I have not heard about (;) or we have
> some false +ves.
Likewise here, hundreds.  It is a pretty "bare" signature, just "BM" and
a 4 null bytes 8 bytes away.

It needs some more specific identification of the BMP header, but
haven't had time to look into the header details, nor do I have a sample
of the real exploit.

Both signatures are firing this way [2002802 and 2002803] but the
2002802 one is hitting very very frequently, 548 hits vs 55 hits in the
last 24 hours of dorm traffic.

Jeff




More information about the Snort-sigs mailing list