Snort mailing list archives
Re: Snort rule to detect Windows PE ExecutableDownloads
From: "Matt Jonkman" <jonkman () bleedingthreats net>
Date: Fri, 13 Jul 2007 08:55:21 +1000
Well put Jeffrrey, thanks. Note: Those are commented out because they aren't of interest to all networks. They ARE reliable, just not an indication of hostile activity. Just a policy thing. I use them in a lot of places and have great results. Matt
-----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Jeffrey Denton Sent: Friday, July 13, 2007 3:10 AM To: Humes, David G. Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rule to detect Windows PE ExecutableDownloads On 7/12/07, Humes, David G. <David.Humes () jhuapl edu> wrote:I would like to have a Snort rule to reliably detect thedownload of aWindows PE executable file.alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; classtype: misc-activity; sid: 2000419; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:6; ) If you are running the Bleedingthreats rules, this signatures are commented out by default. -------------------------------------------------------------- ----------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Paul Melson (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Will Metcalf (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)