Snort mailing list archives
Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads
From: "Will Metcalf" <william.metcalf () gmail com>
Date: Fri, 13 Jul 2007 08:27:10 -0500
You will have to change your byte_jump as well, try making it relative to your MZ match... Regards, Will On 7/13/07, Humes, David G. <David.Humes () jhuapl edu> wrote:
Removing the depth:2 option seems to have no visible effect. The rule continues to fire on the examples where it worked previously, and fails on the same ones where it didn't work before. > -----Original Message----- > From: snort-users-bounces () lists sourceforge net > [mailto:snort-users-bounces () lists sourceforge net] On Behalf > Of Matt Jonkman > Sent: Thursday, July 12, 2007 11:32 PM > To: Humes, David G. > Cc: snort-sigs () lists sourceforge net; > snort-users () lists sourceforge net > Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect > Windows PE Executable Downloads > > > > > Humes, David G. wrote: > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable > > Download"; content:"MZ"; depth:2; > > byte_jump:4,60,little,from_beginning; > > content:"PE|00 00|"; within:4; flow:established,from_server; > > sid:8000143; classtype:bad-unknown; rev:1;) > > > > It works this executable, http://www.cygwin.com/setup.exe, but not > > using this, > http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe. > > Why? Could anyone try it on their sensors and let me know if it > > behaves any differently. Or if anyone has any suggestions > on how to > > do this that does not involve matching the "!This program cannot be > > run in DOS mode." string, that would be appreciated. Sorry Matt, I > > just don't think you can depend on that string any more. > > I think you're right. > > The issue with the above is you're assuming the exe is > starting at the beginning of the packet/stream, which it'll > not likely be. Drop the depth and try it that way. little > higher load, but should be more reliable. > > If that does the trick then we can put the appropriate > versions into the bleeding ruleset, and adjust the existing > to not look for the dos string. > > Matt > > > > > I will take a look at the PEHunter plugin that Jamie > suggests. But, I > > think the rule, or something very similar, should work in all cases. > > > > Thanks. > > > > --Dave > > > > > > > ---------------------------------------------------------------------- > > --- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-sigs mailing list > > Snort-sigs () lists sourceforge net > > https://lists.sourceforge.net/lists/listinfo/snort-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > -------------------------------------------------------------- > ----------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and > take control of your XML. No limits. Just data. Click to get > it now. http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Paul Melson (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Will Metcalf (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)