alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential Malicious PDF (OpenAction JavaScript)"; flow:from_server,established; content:"%PDF-"; content:"<</OpenAction <</JS"; within:128; nocase; classtype:trojan-activity;)
This signature looks for the PDF header (indicating we're dealing with a PDF) then an /OpenAction followed by /JS. This indicates that JavaScript will be executed as soon as the document is open.
Yes, I realize this signature can be easily bypassed with PDF obfuscation. However, I've found that attackers are not yet using this very much. Let me know if this is useful to you.
1 comment:
I recommend you drop the << from the scan: /OpenAction /JS
<< indicates the start of the dictionary, and keys inside the dictionary can appear in random order.
And to increase the probability the snort rule only triggers for PDF documents, add %%EOF too.
Post a Comment