vba_data rule option is used to set the detection cursor to the Microsoft Office Visual Basic for Applications (VBA) macros buffer.
VBA macros can be included in documents and spreadsheets to automate common Office tasks and operations, but they unfortunately can also be used by malicious actors to execute arbitrary code on an unsuspecting victim's machine. To be able to protect against malicious macros, Snort provides the
vba_data sticky buffer to look at VBA macros present in Office documents that are sent over the wire.
Note that because VBA macros and Office documents are usually compressed, this option requires that the
decompress_vba options are enabled in one's Snort configuration. For example to enable it for the HTTP inspector, you would add the following lines to your configuration:
http_inspect.decompress_zip = true http_inspect.decompress_vba = true