[Dshield] Mpack Snort Sigs?

Paul Melson pmelson at gmail.com
Tue Jun 19 14:55:37 GMT 2007


> There was a pretty good write up in todays handlers diary about Mpack. Has
anyone written good Snort 
> sigs for this exploit? So far we've put one in to flag any downloads of
o7.php, any other successful 
> sigs?

If I understand correctly, Mpack uses multiple existing exploits.  I did a
brief check against the Panda blog entry on Mpack, and all of the exploits
listed (QuickTime, Firefox, IE, etc.) were accounted for in the current VRT
subscription rules or Bleeding Snort rules.

PaulM




More information about the list mailing list