[Snort-sigs] Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

rmkml rmkml at ...4129...
Tue Jul 12 08:08:59 EDT 2016


Hi,

The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens access";
flow:to_client,established; file_data; content:"\\rtf1"; within:5; distance:1; content:"\\stylesheet"; distance:0; content:"\\super";
distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/;
reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...

Please send any comments.

Regards
@Rmkml

PS: At this time, Cisco/Talos not published sid 39148 or 39149 for this vulnerability.




More information about the Snort-sigs mailing list