<div dir="ltr">@rmkml,<div><br></div><div>Thanks for your submission. We will review and test the rule and get back to you when its finished. </div><div><br></div><div>Sincerely,</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 23, 2017 at 4:09 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@...4129..." target="_blank">rmkml@...4129...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
First, thx @r00tbsd and Talos,<br>
<br>
Please check sig for detecting Malformed RTF document:<br>
<br>
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF Malformed RTF with PNG header attempt"; flow:to_client,established; file_data;<br>
content:"{|5c|rt"; within:4; distance:0; content:"PNG|0d 0a|"; within:5;distance:1;<br>
reference:url,<a href="http://blog.talosintelligence.com/2017/03/how-malformed-rtf-defeats-security.html" rel="noreferrer" target="_blank">blog.<wbr>talosintelligence.com/2017/03/<wbr>how-malformed-rtf-defeats-<wbr>security.html</a>;<br>
classtype:attempted-user; sid:1; rev:1;)<br>
<br>
Please send any comments.<br>
<br>
Best Regards<br>
@Rmkml<br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, Slashdot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br>
</blockquote></div><br></div>