[Snort-sigs] Offer sig for detect Malformed RTF document

rmkml rmkml at ...4129...
Thu Mar 23 16:09:59 EDT 2017


First, thx @r00tbsd and Talos,

Please check sig for detecting Malformed RTF document:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF Malformed RTF with PNG header attempt"; flow:to_client,established; file_data;
content:"{|5c|rt"; within:4; distance:0; content:"PNG|0d 0a|"; within:5;distance:1;
classtype:attempted-user; sid:1; rev:1;)

Please send any comments.

Best Regards

More information about the Snort-sigs mailing list