On 4/15/08 10:23 PM, "Lee Clemens" <snort@leeclemens.net> wrote:
Hello all,
I downloaded a Word document from OWA and saw many alerts from Snort for sid
1:12070.
The signature's message is "EXPLOIT Microsoft Excel malformed version field"
and all of the links (nvd, cve, icat, bugtraq) show only Excel as being
vulnerable.
The Word document does use tables, but does not appear to use any embedded
Excel spreadsheet objects, etc.
Could this be a false positive or even an additional vulnerability for
particular Word documents?
It may well be. However, there are a few things we would like to have before
continuing (this is a generic list and I would say you have part 8 covered
and some other parts may not be necessary but the pcap part really is)...
1. Version of Snort
2. Rule SID and revision
3. Snort configuration options from snort.conf
4. Command line options when starting snort
5. The operating system being used
6. A supporting packet capture that illustrates the false positive case
7. Contact email (we may have a need for more information)
8. Some text that clearly explains why you think this is a false positive
case
You can send the information directly to research at sourcefire.
--
Nigel Houghton
Resident Hooligan
SF VRT
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
