[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] Signature availability questions

Robert Graham wrote:
--- Gary Flynn <flynngn@xxxxxxx> wrote:
1. Is there a signature to detect an HTTP response with a
   content-type of application/hta in any of the network
   sensor products?
We've added the signature for the next XPU.

Unfortunately, the signature will trigger false-positives if somebody is
actually using HTA (HTML applications) within their intranets.

That is OK. I'm interested in implementing it at the Internet

2. I notice there is a signature for the Windows RPC Messenger
   overflow but I suspect it is for requests going through the
   mapper on port 135. Can anyone confirm this and/or point out
   a signature for direct Messenger traffic connections to high
   UDP ports?

We trigger correctly on high ports.

You just made my day. Thanks!

Gary Flynn
Security Engineer - Technical Services
James Madison University

ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo