Snort mailing list archives
Re: New sig for detecting possible Hancitor maldoc bypass via PNG
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Mon, 7 Nov 2016 10:39:00 -0500
rmkml, Thanks for your submission. I'll review and test this rule and get back to you when it's finished. -- Josh Williams Detection Response Team TALOS Security Group On Sun, Nov 6, 2016 at 3:11 PM, rmkml <rmkml () ligfy org> wrote:
Hi, First, Thx @didierstevens and @sans_isc, Please check a new sig for detecting possible Hancitor maldoc bypass via PNG: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT possible Hancitor maldoc bypass via PNG image attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; within:8; distance:0; content:"|00 00 00 00|IEND"; distance:0; content:"STARFALL"; fast_pattern; within:12; distance:0; reference:url, isc.sans.edu/forums/diary/Hancitor+Maldoc+Bypasses+Application+ Whitelisting/21683/; classtype:attempted-user; sid:1; rev:1;) Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------ ------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- New sig for detecting possible Hancitor maldoc bypass via PNG rmkml (Nov 06)
- Re: New sig for detecting possible Hancitor maldoc bypass via PNG Joshua Williams (Nov 07)