[Snort-sigs] Microsoft Vulnerability CVE-2018-0950

Achiad Gelerenter achiadg at post.bgu.ac.il
Sun Apr 15 07:20:14 EDT 2018


hi,
i try to understand the SNORT rule for this cve:

CVE-2018-0950

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER
Microsoft Office Outlook 2003 OLE information disclosure attempt detected";
flow:to_server,established; file_data; content:"|78 9F 3E 22|",depth 4;
content:"Package"; content:"|5C 5C|",within 100;
content:"METAFILE",distance 0; metadata:policy max-detect-ips drop,policy
security-ips drop; service:smtp; reference:cve,2018-0950;
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE
2018-0950; classtype:policy-violation; sid:46266; rev:1; )


Why did you mean by  content:"Package", and by  content:"METAFILE"?

why this appears in the SNORT rule? this is necessary?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180415/9592b3ce/attachment.html>


More information about the Snort-sigs mailing list