So in looking at xlsm/docm files I noticed this...where bro says:
but the pcap says:
Is there a way to fine tune this in bro? Identifying files flying around with macros would be wonderful...thank you.
That is a bit of an overloaded mime-type I'm afraid. We did build the
files framework in Bro so that it could be extended to provide quite a
bit of extra information when the file is "sniffed". The primary
problem that we'd have with providing that information at the moment
is lack of a way to analyze excel files.
Understood and thanks Seth. At this point an analysis of the Macro enabled Excel/Word file is secondary to bro just being able to read and report the "macroeanbled" mime type. Lemme see if I can get protosigs to do something exciting....thank you!
Once you know you're dealing with an OOXML archive, in my experience the following works well: take the presence of a vbaproject.bin file in the archive as a prerequisite for macro-enabledness, then leverage a .docm/.pptm/.xlsm filename suffix to distinguish application, and fall back to Word for others.
I'd be interested to hear what approaches others have used.
I forgot: the directory layout in such archives is also telling -- look for word/, xl/, ppt/ ...
It's been a while.