[Snort-users] coughing up water on FP and notifications
nhoughton at ...1935...
Fri Apr 1 08:31:02 EDT 2011
On Fri, 1 Apr 2011 13:59:25 +0200, Crusty Saint wrote:
> For http://www.snort.org/search/sid/3-15114 is see repeated alerts
> but this confuses me. From what i've read this should mean there is
> an actual exploit being executed. From what i think to understand
> this means there is a vulnerable service accessible OR there is
> actually code being run against a vulnerable service. Based on the
> specific rule i'm assuming this is most likely and indeed bad news.
That rule is for a client-side Internet Explorer issue. When IE gets
data from an embedded object on a web page, it doesn't deal with it
properly, so if that object is malformed in some way it is possible to
add some extra goodness to it that is then executed on the client.
However, the stack execution is only possible on certain versions of IE
and the underlying OS is also important. IE 5.x on Win2k is certainly
exploitable in this way, but IE 6 on the same platform isn't (even
though you can still overwrite a tiny little bit of the stack). For IE
6 on WinXP though, the result of the attack is a denial of service.
Newer versions of IE are not vulnerable at all.
I'm sure you've looked at the references that come with that rule:
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-users