[Snort-sigs] Offer sig for detect Malformed RTF document

rmkml rmkml at ...4129...
Thu Mar 23 16:09:59 EDT 2017


Hello,

First, thx @r00tbsd and Talos,

Please check sig for detecting Malformed RTF document:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF Malformed RTF with PNG header attempt"; flow:to_client,established; file_data;
content:"{|5c|rt"; within:4; distance:0; content:"PNG|0d 0a|"; within:5;distance:1;
reference:url,blog.talosintelligence.com/2017/03/how-malformed-rtf-defeats-security.html;
classtype:attempted-user; sid:1; rev:1;)

Please send any comments.

Best Regards
@Rmkml




More information about the Snort-sigs mailing list