[Snort-users] Quick and Nasty hack rule for Outlook Buffer overflow issue

Bill Pennington billp at ...60...
Wed Jul 19 19:05:05 EDT 2000


I decided to write a quick rule to detect the Outlook buffer overflow
mail exploit issue (
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D1481 ) Hope
that link works :-).

Now I don't know what you could do since by the time my detect goes off
the damage has been done. I have only tested this with the perl version
of the exploit code, not the windows exe. If anyone has a better detect
I would like to see it. Also if anyone wants help in writing a better
detect, I would be glad to lend a hand.

Ok...

alert tcp $EXTERNAL any -> $INTERNAL 25 (content:
"+1111111111111111111111111111111111111111111111111111111Z";msg:
"Outlook Buffer OverFlow";)

Let me know how it works for you!

-- 

Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list