Snort mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2018-8162 rule

From: Sevens Benoît <Benoit.Sevens () mil be>
Date: Thu, 7 Jun 2018 12:10:14 +0000
Hi all,

Our IDS has triggered on the HTTP download of an xls file with sha256: 
714b5fba91302b5a6acfc4d659329dbde429f1fa4460970d60e76711da67b94a

The file can be downloaded from Virustotal

The rule that triggered was this one: 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BOF memory 
disclosure attempt"; flow:to_client,established; flowbits:isset, file.xls; file_data; content:"|09 08 10 00 00 06 05 
00|"; content:"|07|"; within:1; distance:3; byte_test:1,&,16, 0, relative; byte_test:1,&,1, 0, relative; 
byte_test:1,&,8, 0, relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, 
service ftp-data, service http, service imap, service pop3; reference:cve,2016-0140; reference:cve,2018-8162; 
reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162; 
reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-recon; sid:38785; rev:4;)

It is hard for us to say now if this is a false positive or not, taking into account the fact that exploits for these 
CVE's could not be found online.

Does anyone have more knowledge on this Snort signature in order to determine if this is a false positive or not?

Regards,

Benoit
This e-mail and any attachments may contain sensitive and 
privileged information. If you are not the intended recipient, 
please notify the sender immediately by return e-mail, 
delete this e-mail and destroy any copies. 
Any dissemination or use of this information by a person other 
than the intended recipient is unauthorized and may be illegal.
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: