[Snort-sigs] Microsoft Vulnerability CVE-2018-0950‏

אחיעד גלרנטר achiadg at gmail.com
Sun Apr 15 07:35:02 EDT 2018

i try to understand the SNORT rule for this cve:


# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER
Microsoft Office Outlook 2003 OLE information disclosure attempt detected";
flow:to_server,established; file_data; content:"|78 9F 3E 22|",depth 4;
content:"Package"; content:"|5C 5C|",within 100;
content:"METAFILE",distance 0; metadata:policy max-detect-ips drop,policy
security-ips drop; service:smtp; reference:cve,2018-0950; reference:url,
portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE 2018-0950
classtype:policy-violation; sid:46266; rev:1; )

Why did you mean by  content:"Package", and by  content:"METAFILE"?

why this appears in the SNORT rule? this is necessary?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180415/bba0f9f7/attachment.html>

More information about the Snort-sigs mailing list