2003519 < Main < EmergingThreats

EmergingThreats>

Main Web>2003519 (2007-04-02, JeffKell)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:38:51 UTC

Added 2018-09-13 17:53:17 UTC

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:46 UTC

##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9;)

Added 2014-03-20 16:29:29 UTC

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:8;)

Added 2011-10-12 19:13:37 UTC

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; sid:2003519; rev:8;)

Added 2011-09-14 22:26:36 UTC

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2011-02-04 17:22:31 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2009-02-07 22:00:25 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2009-02-07 22:00:25 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:7;)

Added 2008-05-18 19:52:13 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:7;)

Added 2008-05-18 19:52:13 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:6;)

Added 2008-01-25 10:56:38 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:6;)

Added 2008-01-25 10:56:38 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:5;)

Added 2007-04-17 19:30:22 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:4;)

Added 2007-04-02 00:45:28 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative; classtype:attempted-admin; sid:2003519; rev:3;)

Added 2007-04-01 23:30:21 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative; classtype:attempted-admin; sid:2003519; rev:2;)

Added 2007-04-01 20:00:33 UTC

Should that byte_test be ,little [endian]? Getting FPs with the sig as is.

-- JeffKell - 02 Apr 2007

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; flow:established,from_server; content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2534; reference:url,www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

Added 2007-03-30 12:00:24 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; flow:established,to_server; content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2534; reference:url,www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

Added 2007-03-30 11:52:03 UTC

-- BastardSon? - 30 Mar 2007

Sig currently keys off of unique data structure for known exploits.

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions

Topic revision: r2 - 2007-04-02 - JeffKell

Main

Log In or Register

User Reference
ATasteOfTWiki
TextFormattingRules

Signature Reference
WebRss Feed
EmergingFAQ

Copyright © Emerging Threats