Re: Question about xls trigger

["Joel Esler (jesler)" <jesler () cisco com>]

That the intention behind the file preprocessor, which at some point when that feature goes to full release, we’ll be 
using that feature instead of this flowbit method.


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Mar 28, 2014, at 1:39 PM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:

If the file magic rule will detect the actual file, why is the string match rule needed?

Thanks,
Ed

Sent from a mobile device.

On Mar 28, 2014, at 1:24 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:

The first one will set it based off of the extension, however, if the extension is changed, the file magic rule will 
detect the actual file and set the Flowbit.


--
Joel Esler
Sent from my iPhone

On Mar 28, 2014, at 12:46, "SnortFan" <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:

Hi All,

I'm seeing a lot of false positives with Excel files and I think the problem has to do with the way flowbits sets .xls 
files. Both SID 15463 and 19166 set 'file.xls', however it seems that 15463 is unnecessary considering 19166. Under 
what circumstances would 15463 be effective while 19166 fails? Are there any reasons to keep both rules active rather 
than suppressing 15463?

SID 15463
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; 
flow:to_server,established; content:".xls"; fast_pattern:only; http_uri; pcre:"/\x2exls([\?\x5c\x2f]|$)/smiU"; 
flowbits:set,file.xls; flowbits:noalert; metadata:service http; 
reference:url,en.wikipedia.org/wiki/.xlsFile_formats<http://en.wikipedia.org/wiki/.xlsFile_formats>; 
classtype:misc-activity; sid:15463; rev:16;)

SID 19166
tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; 
flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; 
content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; fast_pattern:only; flowbits:set,file.xls; flowbits:noalert; 
metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19166; rev:13;)

I'm using ips_policy=security in my pulledpork.

Thanks,
Ed

Sent from a mobile device.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!