Snort mailing list archives
Re: Offer a new sig for detecting possible Malicious RTF file
From: Matthew Mickel <mmickel () sourcefire com>
Date: Thu, 21 Apr 2016 08:16:12 -0400
Hi, Rmkml- Thanks for your submission. We've added a slightly modified version this rule to the community ruleset (SIDs: 38580, 38581). Rather than using within:7; distance:0; I have changed the modifier to depth:7; This is because Snort will begin searching at the beginning of a buffer, in this case file_data, unless told otherwise (by using offset,distance). Because you are searching for your content match relative to the beginning of the file_data buffer, depth:7; is the more appropriate modifier. I hope that's a useful bit of information. Thanks again for your contribution. It is greatly appreciated! Best, Matt Mickel On Wed, Apr 13, 2016 at 4:29 PM, rmkml <rmkml () ligfy org> wrote:
Hi, First, Thx @Sekoya_fr for sharing The http://etplc.org open source project offer a new sig for detecting possible Malicious RTF file opened by MS-Office: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF Possible malicious MS-Office attempt"; flow:from_server,established; file_data; content:"{\\rtvpn"; within:7; distance:0; reference:cve,2015-1641; reference:url,www.sekoia.fr/blog/ms-office-exploit-analysis-cve-2015-1641/ ; reference:url,www.decalage.info/rtf_tricks; classtype:misc-activity; sid:1; rev:1;) See reference for more information. Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting possible Malicious RTF file rmkml (Apr 13)
- Re: Offer a new sig for detecting possible Malicious RTF file Matthew Mickel (Apr 21)