Et rule 2034578 - Magic-SigExplorer

""ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)""

SID: 2034578

Revision: 1

Class Type: attempted-user

Metadata: attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_12_03

Reference:

cve
2019-0752

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "200"
Value: "<script"
Value: "document.getelementbyid|28|"
Value: ".scroll"
Value: "Set"

Within:

PCRE: "/^\s(?P[\w-]{1,20})\s=\sdocument.getElementById(.{1,500}Class\s(?P[\w-]{1,20}).{1,500}End\sClass.{1,500}set\s(?P=obj).scroll((Left|Top)(Max)?|Height|Width)\s=\sNew\s*(?P=class)/Rsi"

Special Options:

http_stat_code
file_data
nocase
nocase
fast_pattern
nocase

source