Re: [SAtalk] Need a rule for IE Exploit

2003-12-17 Thread Nick Leverton
However On Thu, Dec 11, 2003 at 03:51:17PM -0800, [EMAIL PROTECTED] wrote: > This may be redundant to the existing rule: > 2.4 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname That rule checks for an %-escape without preceding whitespace. There's a comment from Theo about # Have

RE: [SAtalk] Need a rule for IE Exploit

2003-12-12 Thread Mark Muller
e to comment on it's efficiency/complete lack of use ? :) I'm horrible at regex. -Original Message- From: Ivar Snaaijer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] Need a rule for IE Exploit Fred wrote: >

RE: [SAtalk] Need a rule for IE Exploit

2003-12-12 Thread Larry Gilson
> -Original Message- > From: Fred > > Hello, > I am out the door on my way to work but we need a rule for a > new IE exploit just released, Visit this page, the exploit is > harmless but to the spoofer, it's man's best friend. > > http://www.zapthedingbat.com/security/ex01/vun1.htm >

RE: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Mark Muller
Need a rule for IE Exploit Fred wrote: >Hello, >I am out the door on my way to work but we need a rule for a new IE exploit >just released, >Visit this page, the exploit is harmless but to the spoofer, it's man's best >friend. > >http://www.zapthedingbat.com/sec

RE: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Matt Kettler
At 06:03 PM 12/11/2003, [EMAIL PROTECTED] wrote: For example - I don't have an ASCII chart handy, but suppose %03 is also non-printable - http://[EMAIL PROTECTED]/exploit /format/c ">Read this or risk legal action!!! Um.. the exploit doesn't work if the character is escaped with a %.. it only work

RE: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Matthew . van . Eerde
Talk (E-mail) > Subject: RE: [SAtalk] Need a rule for IE Exploit > > > > > > -Original Message- > > From: Fred > > > > Hello, > > I am out the door on my way to work but we need a rule for a > > new IE exploit just released, Visit this

RE: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Matthew . van . Eerde
\/\/[^\s\/]*?\%\d\d[^\s\/]*?\@/ LINK_WITH_DISGUISED_SITE > -Original Message- > From: Ivar Snaaijer [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 11, 2003 10:13 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Need a rule for IE Exploit > > > Fred wrote: > &g

Re: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Justin Mason
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ivar Snaaijer writes: >Fred wrote: > >>Hello, >>I am out the door on my way to work but we need a rule for a new IE exploit >>just released, >>Visit this page, the exploit is harmless but to the spoofer, it's man's best >>friend. >> >>http://www.zapth

Re: [SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Ivar Snaaijer
Fred wrote: Hello, I am out the door on my way to work but we need a rule for a new IE exploit just released, Visit this page, the exploit is harmless but to the spoofer, it's man's best friend. http://www.zapthedingbat.com/security/ex01/vun1.htm I think this should be put in the next SA release!

[SAtalk] Need a rule for IE Exploit

2003-12-11 Thread Fred
Hello, I am out the door on my way to work but we need a rule for a new IE exploit just released, Visit this page, the exploit is harmless but to the spoofer, it's man's best friend. http://www.zapthedingbat.com/security/ex01/vun1.htm I think this should be put in the next SA release!! ---