Snort mailing list archives
Re: CVE-2018-8162 rule
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 7 Jun 2018 13:35:36 +0000
Sevens, In addition to what Mr Randolph said below: Thanks for the information. Can you file a false positive report by following the directions listed here: Submit a False Positive<https://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>. This will help us. Thanks! -- Joel Esler Sr. Manager Open Source, Design, Web, and Education Talos Group http://www.talosintelligence.com On Jun 7, 2018, at 8:36 AM, David Randolph <drandolph () sourcefire com<mailto:drandolph () sourcefire com>> wrote: We’ll take a look! Thanks for the sha256, having the full file is a big help when we are analyzing these. On Jun 7, 2018, at 8:10 AM, Sevens Benoît <Benoit.Sevens () mil be<mailto:Benoit.Sevens () mil be>> wrote: Hi all, Our IDS has triggered on the HTTP download of an xls file with sha256: 714b5fba91302b5a6acfc4d659329dbde429f1fa4460970d60e76711da67b94a The file can be downloaded from Virustotal The rule that triggered was this one: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt"; flow:to_client,established; flowbits:isset, file.xls; file_data; content:"|09 08 10 00 00 06 05 00|"; content:"|07|"; within:1; distance:3; byte_test:1,&,16, 0, relative; byte_test:1,&,1, 0, relative; byte_test:1,&,8, 0, relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0140; reference:cve,2018-8162; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162<http://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162>; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054<http://technet.microsoft.com/en-us/security/bulletin/ms16-054>; classtype:attempted-recon; sid:38785; rev:4;) It is hard for us to say now if this is a false positive or not, taking into account the fact that exploits for these CVE's could not be found online. Does anyone have more knowledge on this Snort signature in order to determine if this is a false positive or not? Regards, Benoit This e-mail and any attachments may contain sensitive and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- CVE-2018-8162 rule Sevens Benoît (Jun 07)
- Re: CVE-2018-8162 rule David Randolph (Jun 07)
- Re: CVE-2018-8162 rule Joel Esler (jesler) via Snort-sigs (Jun 07)
- Re: CVE-2018-8162 rule David Randolph (Jun 07)