vba_data

The vba_data rule option is used to set the detection cursor to the Microsoft Office Visual Basic for Applications (VBA) macros buffer.

VBA macros can be included in documents and spreadsheets to automate common Office tasks and operations, but they unfortunately can also be used by malicious actors to execute arbitrary code on an unsuspecting victim's machine. To be able to protect against malicious macros, Snort provides the vba_data sticky buffer to look at VBA macros present in Office documents that are sent over the wire.

Note that because VBA macros and Office documents are usually compressed, this option requires that the decompress_zip and decompress_vba options are enabled in one's Snort configuration. For example to enable it for the HTTP inspector, you would add the following lines to your configuration:

http_inspect.decompress_zip = true
http_inspect.decompress_vba = true

Format:

vba_data;

Examples:

vba_data;
content:"URLDownloadToFileA",nocase;

Snort 3 Rule Writing Guide

vba_data

Format:

Examples: