Snort mailing list archives
Re: Question about xls trigger
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 28 Mar 2014 17:24:01 +0000
The first one will set it based off of the extension, however, if the extension is changed, the file magic rule will detect the actual file and set the Flowbit. -- Joel Esler Sent from my iPhone
On Mar 28, 2014, at 12:46, "SnortFan" <SnortFan () yahoo com> wrote: Hi All, I'm seeing a lot of false positives with Excel files and I think the problem has to do with the way flowbits sets .xls files. Both SID 15463 and 19166 set 'file.xls', however it seems that 15463 is unnecessary considering 19166. Under what circumstances would 15463 be effective while 19166 fails? Are there any reasons to keep both rules active rather than suppressing 15463? SID 15463 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xls"; fast_pattern:only; http_uri; pcre:"/\x2exls([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:16;) SID 19166 tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; fast_pattern:only; flowbits:set,file.xls; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19166; rev:13;) I'm using ips_policy=security in my pulledpork. Thanks, Ed Sent from a mobile device. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about xls trigger SnortFan (Mar 28)
- Re: Question about xls trigger James Lay (Mar 28)
- Re: Question about xls trigger Joel Esler (jesler) (Mar 28)
- Re: Question about xls trigger SnortFan (Mar 28)
- Re: Question about xls trigger Joel Esler (jesler) (Mar 28)
- Re: Question about xls trigger SnortFan (Mar 28)