[Snort-users] coughing up water on FP and notifications

Nigel Houghton nhoughton at ...1935...
Fri Apr 1 08:31:02 EDT 2011

On Fri, 1 Apr 2011 13:59:25 +0200, Crusty Saint wrote:

> For http://www.snort.org/search/sid/3-15114 is see repeated alerts 
> but this confuses me. From what i've read this should mean there is 
> an actual exploit being executed. From what i think to understand 
> this means there is a vulnerable service accessible OR there is 
> actually code being run against a vulnerable service. Based on the 
> specific rule i'm assuming this is most likely and indeed bad news.

That rule is for a client-side Internet Explorer issue. When IE gets 
data from an embedded object on a web page, it doesn't deal with it 
properly, so if that object is malformed in some way it is possible to 
add some extra goodness to it that is then executed on the client. 
However, the stack execution is only possible on certain versions of IE 
and the underlying OS is also important. IE 5.x on Win2k is certainly 
exploitable in this way, but IE 6 on the same platform isn't (even 
though you can still overwrite a tiny little bit of the stack). For IE 
6 on WinXP though, the result of the attack is a denial of service. 
Newer versions of IE are not vulnerable at all. 

I'm sure you've looked at the references that come with that rule:



Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-users mailing list