[Snort-sigs] Offer a new sig for detecting possible Malicious RTF file

rmkml rmkml at ...4129...
Wed Apr 13 16:29:03 EDT 2016


Hi,

First, Thx @Sekoya_fr for sharing

The http://etplc.org open source project offer a new sig for detecting possible Malicious RTF file opened by MS-Office:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF Possible malicious MS-Office attempt"; flow:from_server,established; 
file_data; content:"{\\rtvpn"; within:7; distance:0; reference:cve,2015-1641;
reference:url,www.sekoia.fr/blog/ms-office-exploit-analysis-cve-2015-1641/; 
reference:url,www.decalage.info/rtf_tricks; classtype:misc-activity; 
sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list