Daniel T. Staal wrote:
On Fri, September 15, 2006 4:34 pm, John D. Hardin said:
On Fri, 15 Sep 2006, Ken A wrote:
Seems like testing for "DirectAnimation.PathControl" would be a good
idea.. Any thoughts on this?
full LOCAL_09152006_0_DAY /DirectAnimation.PathControl/i
describe LOCAL_09152006_0_DAY DirectAnimation.PathControl object code
score LOCAL_09152006_0_DAY 10
Methinks there should be a SARE ruleset for exploits like this, so
that RDJ/sa-update can keep it current without a lot of effort...
There might be some more context needed on that to prevent FPs; I'd
hate to have a rule like that hide discussion of it on an exploits
mailing list, for example.
header VIRUS_DETECTED X-Virus-Status =~ /\bYes\b/i
describe VIRUS_DETECTED Virus scanner detected a virus.
score VIRUS_DETECTED 10
A 0day on a friday afternoon... happy happy joy joy. I don't think
clamav is detecting this yet, and probably won't until there are some
actual samples out there. Symantec is releasing IPS signatures, which
are just high priced SA rules. :-P
I changed it to
rawbody LOCAL_09152006_0_DAY
/ActiveXObject\s+\([\'\"]?DirectAnimation.PathControl[\'\"]?\)/i
I usually whitelist security related lists. ymmv...
Ken A.
Pacific.Net
;)
Daniel T. Staal
---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------