vba_data
The vba_data
rule option is used to set the detection cursor to the Microsoft Office Visual Basic for Applications (VBA) macros buffer.
VBA macros can be included in documents and spreadsheets to automate common Office tasks and operations, but they unfortunately can also be used by malicious actors to execute arbitrary code on an unsuspecting victim's machine. To be able to protect against malicious macros, Snort provides the vba_data
sticky buffer to look at VBA macros present in Office documents that are sent over the wire.
Note that because VBA macros and Office documents are usually compressed, this option requires that the decompress_zip
and decompress_vba
options are enabled in one's Snort configuration. For example to enable it for the HTTP inspector, you would add the following lines to your configuration:
http_inspect.decompress_zip = true
http_inspect.decompress_vba = true
Format:
vba_data;
Examples:
vba_data;
content:"URLDownloadToFileA",nocase;