[Snort-sigs] Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

Joel Esler (jesler) jesler at ...3865...
Sat Jul 16 09:56:29 EDT 2016


After talking with the team, and taking a look at the ruleset, we released signatures to defend you from this threat on 2016-06-02.

The sids are 39148 and 39149, as you said in your email.  However, they are shared object rules, and we released them on the above date.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com


On Jul 12, 2016, at 8:08 AM, rmkml <rmkml at ...4129...<mailto:rmkml at ...4171....>> wrote:

Hi,

The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens access";
flow:to_client,established; file_data; content:"\\rtf1<smb://rtf1>"; within:5; distance:1; content:"\\stylesheet<smb://stylesheet>"; distance:0; content:"\\super<smb://super>";
distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/<http://www.talosintelligence.com/reports/TALOS-2016-0126/>;
reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...

Please send any comments.

Regards
@Rmkml

PS: At this time, Cisco/Talos not published sid 39148 or 39149 for this vulnerability.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160716/31c1d146/attachment.html>


More information about the Snort-sigs mailing list