EmergingThreats> Main Web>2001102 (revision 2)EditAttach

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; sid: 2001102; rev:7; )


Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- JackGoldberg? - 07 Nov 2007


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-11-07 - JackGoldberg?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats