[Snort-sigs] Alerts for OOXML and MOX

James Lay jlay at slave-tothe-box.net
Sun Sep 3 11:32:20 EDT 2017


On Sun, 2017-09-03 at 14:01 +0000, Will via Snort-sigs wrote:
> Hello,
> 
>     I am pretty new to the Snort world.  I am wondering if it is
> possible to create an alert that can look inside OOXML or MOX type
> formats to find clear text content.  The thing about these file types
> are they are compressed files with it's own  file structure within
> the file.  What I am aiming at doing is to have an snort alert look
> for people trying to off load (Copy) lots of sensitive data (Like
> Social Security Numbers) from these type files.  One alert I created
> looks like this.
> 
> alert tcp any any -> any any (msg:"Sensitive Info being Accessed";
> pcre:"/\d{3}\-\d{2}\-\d{4}/"; sid: 100001)
> 
> But this alert only works for things like text files.
> 
> I am thinking there might have to be a preprocessing for this to
> work?  Is there something like this out there?
> 
> - Will
> _______________________________________________
> 
Check out the preproc sensitive-data.rules...should be what you need.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170903/68f303f7/attachment.html>


More information about the Snort-sigs mailing list