[Dshield] Mpack Snort Sigs?

brian.varine at us.army.mil brian.varine at us.army.mil
Tue Jun 19 18:26:21 GMT 2007


Thanks. We've seen what appears to be Mpack type traffic but wanted to cover all the bases. The stuff we've seen is pretty noisy and even lists the exploit its downloading. 

Brian 
----- Original Message -----
From: Paul Melson <pmelson at gmail.com>
Date: Tuesday, June 19, 2007 14:03
Subject: Re: [Dshield] Mpack Snort Sigs?
To: 'General DShield Discussion List' <list at lists.dshield.org>

> > There was a pretty good write up in todays handlers diary about 
> Mpack. Has
> anyone written good Snort 
> > sigs for this exploit? So far we've put one in to flag any 
> downloads of
> o7.php, any other successful 
> > sigs?
> 
> If I understand correctly, Mpack uses multiple existing exploits.  
> I did a
> brief check against the Panda blog entry on Mpack, and all of the 
> exploitslisted (QuickTime, Firefox, IE, etc.) were accounted for 
> in the current VRT
> subscription rules or Bleeding Snort rules.
> 
> PaulM
> 
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, 
> SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 


More information about the list mailing list