[Snort-sigs] Offer a new sig for detecting possible Malicious RTF file

Matthew Mickel mmickel at ...435...
Thu Apr 21 08:16:12 EDT 2016


Hi, Rmkml-

Thanks for your submission.  We've added a slightly modified version this
rule to the community ruleset (SIDs: 38580, 38581).  Rather than using
within:7; distance:0; I have changed the modifier to depth:7;  This is
because Snort will begin searching at the beginning of a buffer, in this
case file_data, unless told otherwise (by using offset,distance).  Because
you are searching for your content match relative to the beginning of the
file_data buffer, depth:7; is the more appropriate modifier.  I hope that's
a useful bit of information.  Thanks again for your contribution.  It is
greatly appreciated!  Best,

Matt Mickel

On Wed, Apr 13, 2016 at 4:29 PM, rmkml <rmkml at ...4129...> wrote:

> Hi,
>
> First, Thx @Sekoya_fr for sharing
>
> The http://etplc.org open source project offer a new sig for detecting
> possible Malicious RTF file opened by MS-Office:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF
> Possible malicious MS-Office attempt"; flow:from_server,established;
> file_data; content:"{\\rtvpn"; within:7; distance:0;
> reference:cve,2015-1641;
> reference:url,www.sekoia.fr/blog/ms-office-exploit-analysis-cve-2015-1641/
> ;
> reference:url,www.decalage.info/rtf_tricks; classtype:misc-activity;
> sid:1; rev:1;)
>
> See reference for more information.
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160421/1e8c7e3d/attachment.html>


More information about the Snort-sigs mailing list