##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9;)

Added 2014-03-20 16:29:29 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:8;)

Added 2011-10-12 19:13:37 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; sid:2003519; rev:8;)

Added 2011-09-14 22:26:36 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2011-02-04 17:22:31 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2009-02-07 22:00:25 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;)

Added 2009-02-07 22:00:25 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:7;)

Added 2008-05-18 19:52:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:7;)

Added 2008-05-18 19:52:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:6;)

Added 2008-01-25 10:56:38 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:6;)

Added 2008-01-25 10:56:38 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:5;)

Added 2007-04-17 19:30:22 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; sid:2003519; rev:4;)

Added 2007-04-02 00:45:28 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative; classtype:attempted-admin; sid:2003519; rev:3;)

Added 2007-04-01 23:30:21 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative; classtype:attempted-admin; sid:2003519; rev:2;)

Added 2007-04-01 20:00:33 UTC

Should that byte_test be ,little [endian]? Getting FPs with the sig as is.

-- JeffKell - 02 Apr 2007


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; flow:established,from_server; content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2534; reference:url,www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

Added 2007-03-30 12:00:24 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; flow:established,to_server; content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2534; reference:url,www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

Added 2007-03-30 11:52:03 UTC


-- BastardSon? - 30 Mar 2007

Sig currently keys off of unique data structure for known exploits.

Topic revision: r2 - 2007-04-02 - JeffKell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats