Robert Graham on IDS and .ani Detection

IDS guru Robert Graham posted an informative story on the Errata Security Blog. I like his post because he addresses those who think of IDS as "network grep" -- i.e., simple content matching engines. Robert explains how older signatures for CVE-2004-1049 can be used to detect the current Vulnerability in Windows Animated Cursor Handling. The question is whether or not you still have that signature enabled and what services that signature is inspecting.