[Snort-sigs] New sig for detecting possible Hancitor maldoc bypass via PNG

rmkml rmkml at ...4129...
Sun Nov 6 15:11:36 EST 2016


Hi,

First, Thx @didierstevens and @sans_isc,

Please check a new sig for detecting possible Hancitor maldoc bypass via PNG:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT possible Hancitor maldoc bypass via PNG image attempt";
flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; within:8; distance:0; content:"|00 00 00 00|IEND"; distance:0;
content:"STARFALL"; fast_pattern; within:12; distance:0; reference:url,isc.sans.edu/forums/diary/Hancitor+Maldoc+Bypasses+Application+Whitelisting/21683/;
classtype:attempted-user; sid:1; rev:1;)

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list