""ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2""

SID: 2022924

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2016_06_29, cve CVE_2016_2209, confidence High, updated_at 2016_06_29

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"

• Value: !"|00 00|"

• Value: "|00 00 BA 0F 2E 01 00 00|"

Within: 8

PCRE:

Special Options:

• file_data

source