FILE-IDENTIFY -- Snort has detecte File Type indicators associated with packet data, which it will use to facilitate a flowbit, a method of stringing rules together. In a flowbit, one rule examines packets for file type indications, which it uses to switch rules pertaining to that file type from a dormant to active state in order to process the appropriate packets. File-type rules stay dormant to prevent alerts on innocent traffic. That same traffic, when contained in, for instance, a .doc file attached to an email, might be a threat and should be scanned.
FILE-IDENTIFY Microsoft Office Publisher file magic detected
This is a FILEIDENTIFY rule, specifically for Microsoft Publisher files. It looks for the magic bytes identifying it as a Publisher file which can then be used from another rule to perform more detailed inspection.
This rule should not alert, as it is a flowbit setter, designed to identify files and network streams. In this particular case, this rule is looking to identify Microsoft Publisher files.
No public information
No known false positives
Talos research team. This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology. For more information see [nvd].
No rule groups
N/A
Not Applicable
CVE-2006-0001 |
Loading description
|
Tactic: Discovery
Technique: File and Directory Discovery
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
