Re: Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

[Joel Esler <jesler () cisco com>]

On Tue, Jul 12, 2016 at 02:08:59PM +0200, rmkml wrote:
> Hi,
>
> The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript 
> tokens access:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens 
> access";
> flow:to_client,established; file_data; content:"\\rtf1"; within:5; distance:1; content:"\\stylesheet"; distance:0; 
> content:"\\super";
> distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/;
> reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)
>
> See reference for more information.
>
> Don't forget check variables.
>
> Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...


Thanks rmkml, I've sent this over to the analyst team.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!