Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2018_10_23, cve CVE_2018_8460, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)