[Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows Media Player parsing
jeff-kell at ...922...
Sat Feb 18 19:31:03 EST 2006
Russell Fulton wrote:
> I'm seeing lots of hits on this rule from all over the net. Either
> there is a successful worm that I have not heard about (;) or we have
> some false +ves.
Likewise here, hundreds. It is a pretty "bare" signature, just "BM" and
a 4 null bytes 8 bytes away.
It needs some more specific identification of the BMP header, but
haven't had time to look into the header details, nor do I have a sample
of the real exploit.
Both signatures are firing this way [2002802 and 2002803] but the
2002802 one is hitting very very frequently, 548 hits vs 55 hits in the
last 24 hours of dorm traffic.
More information about the Snort-sigs