Snort mailing list archives
Re: Alerts for OOXML and MOX
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 03 Sep 2017 09:32:20 -0600
On Sun, 2017-09-03 at 14:01 +0000, Will via Snort-sigs wrote:
Hello,
I am pretty new to the Snort world. I am wondering if it is
possible to create an alert that can look inside OOXML or MOX type
formats to find clear text content. The thing about these file types
are they are compressed files with it's own file structure within
the file. What I am aiming at doing is to have an snort alert look
for people trying to off load (Copy) lots of sensitive data (Like
Social Security Numbers) from these type files. One alert I created
looks like this.
alert tcp any any -> any any (msg:"Sensitive Info being Accessed";
pcre:"/\d{3}\-\d{2}\-\d{4}/"; sid: 100001)
But this alert only works for things like text files.
I am thinking there might have to be a preprocessing for this to
work? Is there something like this out there?
- Will
_______________________________________________
Check out the preproc sensitive-data.rules...should be what you need. James
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Alerts for OOXML and MOX Will via Snort-sigs (Sep 03)
- Re: Alerts for OOXML and MOX James Lay (Sep 03)
- Re: Alerts for OOXML and MOX wkitty42 (Sep 03)
- Re: Alerts for OOXML and MOX James Lay (Sep 03)