Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

[rmkml <rmkml () ligfy org>]

Hi,

The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and superscript 
tokens access:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and superscript tokens 
access";
flow:to_client,established; file_data; content:"\\rtf1"; within:5; distance:1; content:"\\stylesheet"; distance:0; 
content:"\\super";
distance:0; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/;
reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...

Please send any comments.

Regards
@Rmkml

PS: At this time, Cisco/Talos not published sid 39148 or 39149 for this vulnerability.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!