[Snort-sigs] 1:12070 for Word documents?

Nigel Houghton nigel at ...435...
Wed Apr 16 07:49:43 EDT 2008

On 4/15/08 10:23 PM, "Lee Clemens" <snort at ...3020...> wrote:

> Hello all,
> I downloaded a Word document from OWA and saw many alerts from Snort for sid
> 1:12070.
> The signature's message is "EXPLOIT Microsoft Excel malformed version field"
> and all of the links (nvd, cve, icat, bugtraq) show only Excel as being
> vulnerable.
> The Word document does use tables, but does not appear to use any embedded
> Excel spreadsheet objects, etc.
> Could this be a false positive or even an additional vulnerability for
> particular Word documents?

It may well be. However, there are a few things we would like to have before
continuing (this is a generic list and I would say you have part 8 covered
and some other parts may not be necessary but the pcap part really is)...

 1. Version of Snort
 2. Rule SID and revision
 3. Snort configuration options from snort.conf
 4. Command line options when starting snort
 5. The operating system being used
 6. A supporting packet capture that illustrates the false positive case
 7. Contact email (we may have a need for more information)
 8. Some text that clearly explains why you think this is a false positive

You can send the information directly to research at sourcefire.

Nigel Houghton
Resident Hooligan

More information about the Snort-sigs mailing list