RE: Microsoft Security Bulletin MS01-026 code signature

["Larimer, Jon (ISSAtlanta)" <JLarimer () iss net>]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Enter this string for a URL_Data user-defined signature:

%5c|%2e|%2f

This will detect variations on the attack using '/', '\', and '.'. 
Let me know if you find any problems with this signature.
-jon

=====================================================================
Jon Larimer                         |     Direct Dial: (404) 236-2843
Systems Engineer / ISS X-Force Team |  ISS Front Desk: (404) 236-2600
Internet Security Systems, Inc.     |
===================================================================== 


-----Original Message-----
From: Jose Vicente da Costa Machado Filho [mailto:JVicente () americel com br]
Sent: Tuesday, May 15, 2001 8:42 AM
To: ids () uow edu au
Subject: IDS: Microsoft Security Bulletin MS01-026 code signature





Hi All! 
Anyone know how to implement a signature on RS to monitor this exploitation?

The problem is full disclosed at
http://www.nsfocus.com/english/homepage/sa01-02.htm 
Thanks for any help, 
Jose Vicente da C Machado 
AMERICEL S.A. 
I.T. - System´s Cordinator 
- Security, Network and Internet 
email: jvicente () americel com br 
office:(61) 329-6698 
fax:(61) 329-6709 
mobile:(61) 929-0016 
http://www.americel.com.br