Re: msg update for these, please?

[waldo kitty <wkitty42 () windstream net>]

On 9/28/2010 14:38, Alex Kirk wrote:
> On Tue, Sep 28, 2010 at 2:13 PM, waldo kitty <wkitty42 () windstream net> wrote:
>
>     On 9/28/2010 14:00, Alex Kirk wrote:
>      > Actually, they both look for PE files headed towards a client - the first
>     looks
>      > for the PE signature itself coming down, the second for a request for a .exe.
>
>     hey, alex, thanks... i was looking at the flow:to_client and flow:to_server
>     aspect of them ;)
>
>     dn? 15306 $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client
>     up? 16425 $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server
>
> Not sure what you're asking here.

well, i wasn't really asking anything... i was pointing out what i see in the 
rule... one's a download from a server to the client and the other is an upload 
from the client to a server... actually, "server" may be a misnomer here but 
that could be semantics, too...

> Yes, SID 15306 is for data traveling "down" to the client,

yes, that's my take on it, too...

> 16425 looks at a packet coming "up" from the client -

yes, so the client is uploading a file... possibly a game or self-extracting 
binary to a file distribution channel like on the original BBS' where users 
uploaded and downloaded lottsa files all day long ;)

> which will then trigger data coming back "down" from the server that you may
> not want.

hunh? where do you see that in 1:16425? it would be the job of /other/ rules to 
detect that, wouldn't it? ;)


in any case, i really do think it best that the one to the client denotes that 
and the one to the server denotes that as well... no matter what else may happen 
after it gets where it is going :)  i do try to adhere to the KISS principle and 
go with the most simple choice when i can instead of over-engineering things ;) :P


>      > Duplicate messages are generally no fun, though, so how about making the
>     second
>      > one "WEB-CLIENT Portable Executable binary file transfer - .exe in URI"?
>
>     that might work but see above... ;)
>
>      > On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 () windstream net
>     <mailto:wkitty42 () windstream net>
>      > <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>>> wrote:
>      >
>      >
>      >     can we get a MSG update for these, please??
>      >
>      >     OLD:
>      >     15306   WEB-CLIENT Portable Executable binary file transfer
>      >     16425   WEB-CLIENT Portable Executable binary file transfer
>      >
>      >     NEW:
>      >     15306   WEB-CLIENT Portable Executable binary file transfer to client
>      >     16425   WEB-CLIENT Portable Executable binary file transfer to server
>      >
>      >     or some such?
>      >
>      >     thanks!

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users