alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX? Control EaseWeFtp?.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:1;)

Added 2011-10-12 19:36:06 UTC


Topic revision: r1 - 2011-10-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats