[Snort-sigs] Microsoft Vulnerability CVE-2018-0950‏

אחיעד גלרנטר achiadg at gmail.com
Sun Apr 15 07:35:02 EDT 2018


 hi,
i try to understand the SNORT rule for this cve:

CVE-2018-0950

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER
Microsoft Office Outlook 2003 OLE information disclosure attempt detected";
flow:to_server,established; file_data; content:"|78 9F 3E 22|",depth 4;
content:"Package"; content:"|5C 5C|",within 100;
content:"METAFILE",distance 0; metadata:policy max-detect-ips drop,policy
security-ips drop; service:smtp; reference:cve,2018-0950; reference:url,
portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE 2018-0950
<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE2018-0950>;
classtype:policy-violation; sid:46266; rev:1; )


Why did you mean by  content:"Package", and by  content:"METAFILE"?

why this appears in the SNORT rule? this is necessary?

Thanks,
Achiad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180415/bba0f9f7/attachment.html>


More information about the Snort-sigs mailing list