This content has been marked as final. Show 1 reply
Just in case anyone else is trying to get this going
Event Category: Belongs to: Host Intrusion
Threat Name: Equals: 3961
Searching for the rule in your IPS Rules in EPO doesn't help much, because the name doesn't include the MS KB#(KB958644), Bulletin Number(MS08-067), nor the generic CVE#(CVE-2008-4250). The description contains the CVE#, but there is no way to search on this, AFIAK.
The name of the threat is "Vulnerability in Server Service Could Allow Remote Code Execution", ID is 3961. If you create a query with the above filters(Event Category and Threat Name), you will see any attempts to exploit MS08-067.