[Snort-sigs] Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

Joel Esler (jesler) jesler at ...3865...
Sat Jul 16 09:56:29 EDT 2016

After talking with the team, and taking a look at the ruleset, we released signatures to defend you from this threat on 2016-06-02.

The sids are 39148 and 39149, as you said in your email.  However, they are shared object rules, and we released them on the above date.

Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group

On Jul 12, 2016, at 8:08 AM, rmkml <rmkml at ...4129...<mailto:rmkml at ...4171....>> wrote:


The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens access";
flow:to_client,established; file_data; content:"\\rtf1<smb://rtf1>"; within:5; distance:1; content:"\\stylesheet<smb://stylesheet>"; distance:0; content:"\\super<smb://super>";
distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/<http://www.talosintelligence.com/reports/TALOS-2016-0126/>;
reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...

Please send any comments.


PS: At this time, Cisco/Talos not published sid 39148 or 39149 for this vulnerability.

What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160716/31c1d146/attachment.html>

More information about the Snort-sigs mailing list