[Snort-sigs] Rule 13573 question

Lay, James james.lay at ...3513...
Wed Oct 5 10:30:47 EDT 2011


Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Microsoft Outlook arbitrary command line attempt ";
flow:from_server,established; content:"mailto|3A|"; nocase;
pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi";
reference:cve,2008-0110;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-015.mspx;
classtype:misc-attack; sid:13573; rev:4;)

 

In looking at the MS bulletin, this is an Outlook client issue yes?  Do
people run Outlook over port 80?  Anyways, the below link will fire this
one off.

 

http://static.meteorsolutions.com/metsol.js

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111005/008d01d1/attachment.html>


More information about the Snort-sigs mailing list