[Snort-sigs] CVE-2018-8162 rule

David Randolph drandolph at sourcefire.com
Thu Jun 7 08:36:16 EDT 2018

We’ll take a look! Thanks for the sha256, having the full file is a big help when we are analyzing these.

> On Jun 7, 2018, at 8:10 AM, Sevens Benoît <Benoit.Sevens at mil.be> wrote:
> Hi all,
> Our IDS has triggered on the HTTP download of an xls file with sha256: 714b5fba91302b5a6acfc4d659329dbde429f1fa4460970d60e76711da67b94a
> The file can be downloaded from Virustotal
> The rule that triggered was this one: 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt"; flow:to_client,established; flowbits:isset, file.xls; file_data; content:"|09 08 10 00 00 06 05 00|"; content:"|07|"; within:1; distance:3; byte_test:1,&,16, 0, relative; byte_test:1,&,1, 0, relative; byte_test:1,&,8, 0, relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0140; reference:cve,2018-8162; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-recon; sid:38785; rev:4;)
> It is hard for us to say now if this is a false positive or not, taking into account the fact that exploits for these CVE's could not be found online.
> Does anyone have more knowledge on this Snort signature in order to determine if this is a false positive or not?
> Regards,
> Benoit
> This e-mail and any attachments may contain sensitive and 
> privileged information. If you are not the intended recipient, 
> please notify the sender immediately by return e-mail, 
> delete this e-mail and destroy any copies. 
> Any dissemination or use of this information by a person other 
> than the intended recipient is unauthorized and may be illegal.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> Please visit http://blog.snort.org for the latest news about Snort!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

More information about the Snort-sigs mailing list