Rules to Alert on Same System(Word Doc)

[Mike via Snort-users <snort-users () lists snort org>]

I was able to successfully install Snort on Windows 10 and am able to 
receive alerts with the current rules I have enabled for other tests.  I 
am collecting on the same machine Snort is installed on, and I am using 
the "-k none" switch when I start Snort.

I am conducting research in my lab to see how Snort responds to these 
types of files and at the same time learn to write effective rules.

I have created a malicious (for test) Word doc that uses DDE to open a 
Chrome browser and open up google.com.  There are numerous rules for 
Office files, but most are geared towards traffic over mail 
client/server ports and no matter how I tweak my rules, I am not able to 
get an alert when I run the document.

Since the traffic is originating from the same system, should the rules 
start:

"alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field 
exploit"; flow:to_server,established; file_data;....?"

Any help on if this can be done, or what the payload or rule is missing 
would be greatly appreciated.


R/S

Mike

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette