alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; distance:0; content:"//"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:13;)

Added 2011-10-12 19:28:48 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; distance:0; content:"//"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; sid:2010039; rev:13;)

Added 2011-09-14 22:42:06 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; distance:0; content:"//"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010039; rev:13;)

Added 2011-02-04 17:29:29 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010039; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL; sid:2010039; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_ACTIVEX Possible AOL SuperBuddy? ActiveX? Control Remote Code Execution Attempt"; flow:from_server,established; content:"clsid"; nocase; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; sid:2010039; rev:1;)

Added 2009-10-06 09:30:38 UTC


Topic revision: r1 - 2011-10-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats