MS04-011続き
"super" exploitsが密かに出つつあるよう。
- Exploit Targets Windows SSL Vulnerability(netcraft.com)
- Combined exploits of MS vulnerabilities, port 1981 increase(isc.incidents.org)
- マイクロソフト、WindowsやIEの脆弱性を狙う手口が公開されていると警告(INTERNETWatch)
- Windows HotFix Briefings(2004年4月16日版)(@IT)
- Windows HotFix Briefings Alert Windows OS、Outlook Expressに緊急の脆弱性(@IT)
ということでSSLBombのsnortルール
alert tcp any any -> $HOME_NET 443 (msg: "SSL Bomb DoS Attempt"; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; distance:2; within:1; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; flow:to_server,established; classtype:attempted-dos; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; sid:999999; rev:1;)
その2
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg: "handlers - alpha - SSL DoS Short Client Handshake"; content: "|0d06 092a 8648 86f7 0d01 0104 0500 3081|"; depth: 64; content: "|0b30|"; distance: 2; content: "|0355|"; distance: 2; sid: 1090006; rev: 1;)