Snort mailing list archives
Re: .exe
From: Jeff Kell <jeff-kell () utc edu>
Date: Sun, 5 May 2013 02:03:46 -0400
On 5/5/2013 1:51 AM, Caleb Jaren wrote:
Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files.
And based on that alone, on any random data stream matching on two bytes "4d 5a" you're going to get a hit every 64K data packets. If you're including SSL/TLS/VPN/etc encrypted traffic you're going to hit. It's one thing to create a signature to detect a "known thing". It's another thing entirely to reduce or eliminate false positives. The former will gain you points on the "canned" IDS/IPS test suites. The latter will gain you points in the real world. Jeff
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- .exe tarik shalo (May 04)