FILE-IDENTIFY -- Snort has detecte File Type indicators associated with packet data, which it will use to facilitate a flowbit, a method of stringing rules together. In a flowbit, one rule examines packets for file type indications, which it uses to switch rules pertaining to that file type from a dormant to active state in order to process the appropriate packets. File-type rules stay dormant to prevent alerts on innocent traffic. That same traffic, when contained in, for instance, a .doc file attached to an email, might be a threat and should be scanned.
FILE-IDENTIFY Microsoft Windows Audio wmf file download request
This event is generated when an attempt is made to access a file type that may be subject to a known vulnerability in Microsoft Windows Explorer. Impact: Denial of Service (DoS) possible execution of arbitrary code. Details: When processing Windows Extended Metafile Format (.emf) files, Windows Explorer sets a buffer size based on information in the header for the file. If a malformed header is sent, it may be possible for an attacker to cause a DoS condition to occur. It may also be possible for an attacker to execute code of their choosing on a vulnerable host. WARNING In order to avoid potential evasion techniques, http_inspect should be configured with "flow_depth 0" so that all HTTP server response traffic is inspected. Setting flow_depth 0 will cause performance problems in some situations. WARNING This issue may also affect Microsoft Windows Metafile Format (.wmf) files also. Ease of Attack: Moderate/Difficult
No information provided
No public information
No known false positives
Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None