[Snort-sigs] Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

Joel Esler jesler at ...3865...
Wed Jul 13 12:08:44 EDT 2016


On Tue, Jul 12, 2016 at 02:08:59PM +0200, rmkml wrote:
>Hi,
>
>The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access:
>
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens access";
>flow:to_client,established; file_data; content:"\\rtf1"; within:5; distance:1; content:"\\stylesheet"; distance:0; content:"\\super";
>distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/;
>reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)
>
>See reference for more information.
>
>Don't forget check variables.
>
>Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...


Thanks rmkml, I've sent this over to the analyst team.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com




More information about the Snort-sigs mailing list