Snort mailing list archives
Re: [Emerging-Sigs] List if rules hit with an ISO file
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 22 Mar 2018 11:10:17 -0600
Thanks...I'll send this up to the snort-sigs folks as well. Here's the hash:
816F3F0D32F393B7738945B78826F53D1F97EE0877E9E68E8D57AD40AC3588E5 Thank you! James On 2018-03-22 11:00, Francis Trudeau wrote:
Only one of those, 2014099, is ours. It should have alerted with another SID as it has a flowbits:isset. It could have alerted with 2014097, which has noalert, but that's the only flowbit set rule that has noalert. What's the md5/sha1/whatever of that ISO? I can look around to see if I can't recreate what you saw.On Mon, Mar 19, 2018 at 9:49 AM, James Lay <jlay () slave-tothe-box net> wrote:Wow does this ISO file from MS fire off a bunch of stuff: hxxp://fullproduct.download.microsoft[.]com/download/release/3/6/1/SW_DVD5_SharePoint_Server_2013w_SP1_64Bit_English_MLF_X19-36118.ISO[3:15298:12] FILE-OFFICE Microsoft Visio could allow remote code execution[**] [Classification: Attempted User Privilege Gain] [Priority: 1] [1:32986:1] MALWARE-CNC Win.Trojan.Toopu dll embedded in png downloadattempt [**] [Classification: A Network Trojan was Detected] [Priority: 1] [1:10000162:1] POLICY Composite Office Document Containing Macro via http [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] [1:2014099:2] ET TROJAN Exploit Kit Delivering Office File to Client [**][Classification: A Network Trojan was Detected] [Priority: 1] Just an FYI really. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: [Emerging-Sigs] List if rules hit with an ISO file James Lay (Mar 22)