From: Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Date: Fri, 2 Sep 2022 17:51:10 +0000 (+0000)
Subject: Pull request #3578: file_id: Update Office Documents rules
X-Git-Tag: 3.1.41.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=329b11eb59114bd46dfc9a77e3651bdc1a758c65;p=thirdparty%2Fsnort3.git

Pull request #3578: file_id: Update Office Documents rules

Merge in SNORT/snort3 from ~AGIURGIU/snort3:update_office_docs to master

Squashed commit of the following:

commit 56bc735801d80ef0216017dbc4234085bdd10b8d
Author: Alexandru Giurgiu <agiurgiu@cisco.com>
Date:   Tue Aug 23 09:29:49 2022 +0300

    file_id: Update Office Documents rules
---

diff --git a/lua/file_magic.rules b/lua/file_magic.rules
index 9ec4fae94..d0f6a258f 100644
--- a/lua/file_magic.rules
+++ b/lua/file_magic.rules
@@ -107,7 +107,6 @@ file_id (msg:"Musical Instrument Digital Interface (MIDI) sound file"; file_meta
 file_id (msg:"multimedia playlists"; file_meta:type PLS, id 116, category "Multimedia"; file_data; content:"| 5b 70 6c 61 79 6c 69 73 74 5d |", depth 10, offset 0; gid:4; sid:107; rev:1;)
 file_id (msg:"Synchronized Multimedia Integration Language"; file_meta:type SMIL, id 117, category "Multimedia"; file_data; content:"| 3c 73 6d 69 6c 3e |", depth 6, offset 0; gid:4; sid:108; rev:1;)
 file_id (msg:"Synchronized Accessible Media Interchange"; file_meta:type SAMI, id 119, category "Multimedia"; file_data; content:"| 3c 53 41 4d 49 |", depth 5, offset 0; gid:4; sid:109; rev:1;)
-file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 120, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 14 00 06 00 |", depth 8, offset 0; gid:4; sid:110; rev:1;)
 file_id (msg:"Autodesk AutoCAD file (dwg) "; file_meta:type DWG, id 130, category "Graphics"; file_data; content:"| 41 43 31 30 |", depth 4, offset 0; gid:4; sid:111; rev:1;)
 file_id (msg:"Microsoft Document Imaging file (mdi)"; file_meta:type MDI, id 132, category "Office Documents"; file_data; content:"| 45 50 |", depth 2, offset 0; gid:4; sid:112; rev:1;)
 file_id (msg:"PGP disk image(PGD)"; file_meta:type PGD, id 133, category "System files"; file_data; content:"| 50 47 50 64 4D 41 49 4E |", depth 8, offset 0; gid:4; sid:113; rev:1;)
@@ -201,3 +200,9 @@ file_id (msg:"Hangul word processor file"; file_meta:type HWP, id 323, category
 file_id (msg:"Flash file"; file_meta:type SWF, id 324, category "Multimedia"; file_data; content:"| 5A 57 53 |", depth 3, offset 0; gid:4; sid:201; rev:1;)
 file_id (msg:"Packet capture file"; file_meta:type PCAP, id 325, category "System files"; file_data; content:"| 0A 0D 0D 0A |", depth 4, offset 0; gid:4; sid:202; rev:1;)
 file_id (msg:"Flash file "; file_meta:type SWF, id 54, category "Multimedia"; file_data; content:"| 58 46 49 52 |", depth 4, offset 0; gid:4; sid:203; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (PPTX)"; file_meta:type PPTX, id 326, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 70 70 74 2f |", depth 4, offset 30; gid:4; sid:204; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX)"; file_meta:type DOCX, id 327, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 77 6f 72 64 2f |", depth 5, offset 30; gid:4; sid:205; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (XLSX)"; file_meta:type XLSX, id 328, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 78 6c 2f |", depth 3, offset 30; gid:4; sid:206; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 329, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e |", depth 16, offset 30; gid:4; sid:207; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 330, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5f 72 65 6c 73 2f |", depth 6, offset 30; gid:4; sid:208; rev:1;)
+file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 331, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 64 6f 63 50 72 6f 70 73 2f |", depth 9, offset 30; gid:4; sid:209; rev:1;)
\ No newline at end of file