Hi,
I'm using these rules to spot malicious jpegs.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user;
sid:3000363; rev:10;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;
sid:3000363; rev:10;)
So far I haven't seen any, just a few false positives. I think the rules
could be improved by specifying an offset for the COM length (00 0)/00
01).
Chas
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Frank
Knobbe
Sent: 20 September 2004 18:07
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] JPEG / GDI+ DLL exploit sig?
Greetings,
it seems there are now three Proof-of-Concept exploits out for the JPEG
handling issue in the GDI+ DLL (MS04-028).
Does anyone have a signature for this yet? Preferable on the problem
(like the libpng issue) and not just pattern match on the exploits.
Cheers,
Frank
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
