[Snort-sigs] [Emerging-Sigs] List if rules hit with an ISO file

James Lay jlay at slave-tothe-box.net
Thu Mar 22 13:10:17 EDT 2018


Thanks...I'll send this up to the snort-sigs folks as well.  Here's the 
hash:

816F3F0D32F393B7738945B78826F53D1F97EE0877E9E68E8D57AD40AC3588E5

Thank you!

James

On 2018-03-22 11:00, Francis Trudeau wrote:
> Only one of those, 2014099, is ours.  It should have alerted with
> another SID as it has a flowbits:isset.  It could have alerted with
> 2014097, which has noalert, but that's the only flowbit set rule that
> has noalert.
> 
> What's the md5/sha1/whatever of that ISO?  I can look around to see if
> I can't recreate what you saw.
> 
> 
> 
> On Mon, Mar 19, 2018 at 9:49 AM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>> Wow does this ISO file from MS fire off a bunch of stuff:
>> 
>> hxxp://fullproduct.download.microsoft[.]com/download/release/3/6/1/SW_DVD5_SharePoint_Server_2013w_SP1_64Bit_English_MLF_X19-36118.ISO
>> 
>> [3:15298:12] FILE-OFFICE Microsoft Visio could allow remote code 
>> execution
>> [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
>> [1:32986:1] MALWARE-CNC Win.Trojan.Toopu dll embedded in png download
>> attempt [**] [Classification: A Network Trojan was Detected] 
>> [Priority: 1]
>> [1:10000162:1] POLICY Composite Office Document Containing Macro via 
>> http
>> [**] [Classification: Potential Corporate Privacy Violation] 
>> [Priority: 1]
>> [1:2014099:2] ET TROJAN Exploit Kit Delivering Office File to Client 
>> [**]
>> [Classification: A Network Trojan was Detected] [Priority: 1]
>> 
>> Just an FYI really.
>> 
>> James
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> 


More information about the Snort-sigs mailing list