Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] List if rules hit with an ISO file

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 22 Mar 2018 11:10:17 -0600
Thanks...I'll send this up to the snort-sigs folks as well. Here's the hash: 

816F3F0D32F393B7738945B78826F53D1F97EE0877E9E68E8D57AD40AC3588E5

Thank you!

James

On 2018-03-22 11:00, Francis Trudeau wrote:

Only one of those, 2014099, is ours.  It should have alerted with
another SID as it has a flowbits:isset.  It could have alerted with
2014097, which has noalert, but that's the only flowbit set rule that
has noalert.

What's the md5/sha1/whatever of that ISO?  I can look around to see if
I can't recreate what you saw.
On Mon, Mar 19, 2018 at 9:49 AM, James Lay <jlay () slave-tothe-box net> wrote: 
Wow does this ISO file from MS fire off a bunch of stuff:

hxxp://fullproduct.download.microsoft[.]com/download/release/3/6/1/SW_DVD5_SharePoint_Server_2013w_SP1_64Bit_English_MLF_X19-36118.ISO
[3:15298:12] FILE-OFFICE Microsoft Visio could allow remote code execution 
[**] [Classification: Attempted User Privilege Gain] [Priority: 1]
[1:32986:1] MALWARE-CNC Win.Trojan.Toopu dll embedded in png download
attempt [**] [Classification: A Network Trojan was Detected] [Priority: 1] [1:10000162:1] POLICY Composite Office Document Containing Macro via http [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] [1:2014099:2] ET TROJAN Exploit Kit Delivering Office File to Client [**] 
[Classification: A Network Trojan was Detected] [Priority: 1]

Just an FYI really.

James
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: