Snort rule to detect Windows PE Executable Downloads

["Humes, David G." <David.Humes () jhuapl edu>]

I would like to have a Snort rule to reliably detect the download of a
Windows PE executable file.  A  rule to detect the MZ magic bytes is
simple but prone to false positives.  An improved rule matches  both the
MZ magic bytes and the PE header, but this too can have false positives.
A superior rule  first matches the MZ magic bytes and then locates the
PE header using the pointer to the beginning of  the PE header that's
found at offset 0x3c in the DOS header.  This seems like the perfet
application  for the byte_jump option.  I came up with this rule after
lots of experimenting, which seems to work  in many cases, but it does
not fire in certain cases for reasons that I do not understand.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable
Download"; content:"MZ"; depth:2; byte_jump:4,60,little,from_beginning;
content:"PE|00 00|"; within:4; flow:established,from_server;
sid:8000143; classtype:bad-unknown; rev:1;)

I'm really not certain why this rule works at all.  What finally got it
working was to add the  from_beginning option to the byte_jump rule
option.  But, it seems to me that the beginning of the  payload is the
HTTP headers, "HTTP/1.1 200 OK...", not "MZ".  Why does Snort think the
beginning of  the payload is "MZ"?  Similarly, the depth option tells
Snort to only look 2 bytes into the payload  for the "MZ" match.  But,
"MZ" is not at the beginning of the packet.  So again, what makes Snort
think the beginning of the payload is "MZ" - perhaps some preprocessor
like http_inspect?  

I tested this using Snort Version 2.4.3 (Build 26), with some Windows
executables that I hosted on an  external Apache/Linux HTTP server, and
also using wget to download some Windows executables from the  web.  If
I download putty.exe from
http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe using wget,  the
rule does not fire.  It also fails using a browser, so wget is not the
issue.  Here's an  abreviated hex dump.  

00000000  47 45 54 20 2f 25 37 45  73 67 74 61 74 68 61 6d GET /%7E
sgtatham
00000010  2f 70 75 74 74 79 2f 30  2e 36 30 2f 78 38 36 2f /putty/0
.60/x86/
00000020  70 75 74 74 79 2e 65 78  65 20 48 54 54 50 2f 31 putty.ex e
HTTP/1
00000030  2e 30 0d 0a 55 73 65 72  2d 41 67 65 6e 74 3a 20 .0..User
-Agent: 
00000040  57 67 65 74 2f 31 2e 39  2b 63 76 73 2d 73 74 61 Wget/1.9
+cvs-sta
00000050  62 6c 65 20 28 52 65 64  20 48 61 74 20 6d 6f 64 ble (Red  Hat
mod
00000060  69 66 69 65 64 29 0d 0a  48 6f 73 74 3a 20 74 68 ified)..
Host: th
00000070  65 2e 65 61 72 74 68 2e  6c 69 0d 0a 41 63 63 65 e.earth.
li..Acce
00000080  70 74 3a 20 2a 2f 2a 0d  0a 43 6f 6e 6e 65 63 74 pt: */*.
.Connect
00000090  69 6f 6e 3a 20 4b 65 65  70 2d 41 6c 69 76 65 0d ion: Kee
p-Alive.
000000A0  0a 0d 0a                                         ...

00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200
OK.
00000010  0a 44 61 74 65 3a 20 57  65 64 2c 20 31 31 20 4a .Date: W ed,
11 J
00000020  75 6c 20 32 30 30 37 20  31 33 3a 35 38 3a 31 31 ul 2007
13:58:11
00000030  20 47 4d 54 0d 0a 53 65  72 76 65 72 3a 20 41 70  GMT..Se
rver: Ap
00000040  61 63 68 65 2f 32 2e 32  2e 33 20 28 44 65 62 69 ache/2.2 .3
(Debi
00000050  61 6e 29 20 6d 6f 64 5f  73 73 6c 2f 32 2e 32 2e an) mod_
ssl/2.2.
00000060  33 20 4f 70 65 6e 53 53  4c 2f 30 2e 39 2e 38 63 3 OpenSS
L/0.9.8c
00000070  0d 0a 4c 61 73 74 2d 4d  6f 64 69 66 69 65 64 3a ..Last-M
odified:
00000080  20 53 75 6e 2c 20 32 39  20 41 70 72 20 32 30 30  Sun, 29  Apr
200
00000090  37 20 31 33 3a 30 32 3a  33 37 20 47 4d 54 0d 0a 7 13:02: 37
GMT..
000000A0  45 54 61 67 3a 20 22 37  32 35 63 39 31 35 2d 36 ETag: "7
25c915-6
000000B0  66 30 30 30 2d 66 62 39  32 66 35 34 30 22 0d 0a f000-fb9
2f540"..
000000C0  41 63 63 65 70 74 2d 52  61 6e 67 65 73 3a 20 62 Accept-R
anges: b
000000D0  79 74 65 73 0d 0a 43 6f  6e 74 65 6e 74 2d 4c 65 ytes..Co
ntent-Le
000000E0  6e 67 74 68 3a 20 34 35  34 36 35 36 0d 0a 4b 65 ngth: 45
4656..Ke
000000F0  65 70 2d 41 6c 69 76 65  3a 20 74 69 6d 65 6f 75 ep-Alive :
timeou
00000100  74 3d 31 35 2c 20 6d 61  78 3d 31 30 30 0d 0a 43 t=15, ma
x=100..C
00000110  6f 6e 6e 65 63 74 69 6f  6e 3a 20 4b 65 65 70 2d onnectio n:
Keep-
00000120  41 6c 69 76 65 0d 0a 43  6f 6e 74 65 6e 74 2d 54 Alive..C
ontent-T
00000130  79 70 65 3a 20 61 70 70  6c 69 63 61 74 69 6f 6e ype: app
lication
00000140  2f 78 2d 6d 73 64 6f 73  2d 70 72 6f 67 72 61 6d /x-msdos
-program
00000150  0d 0a 0d 0a 4d 5a 90 00  03 00 00 00 04 00 00 00 ....MZ..
........
00000160  ff ff 00 00 b8 00 00 00  00 00 00 00 40 00 00 00 ........
....@...
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........
........
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........
........
00000190  00 01 00 00 0e 1f ba 0e  00 b4 09 cd 21 b8 01 4c ........
....!..L
000001A0  cd 21 54 68 69 73 20 70  72 6f 67 72 61 6d 20 63 .!This p
rogram c
000001B0  61 6e 6e 6f 74 20 62 65  20 72 75 6e 20 69 6e 20 annot be  run
in 
000001C0  44 4f 53 20 6d 6f 64 65  2e 0d 0d 0a 24 00 00 00 DOS mode
....$...
000001D0  00 00 00 00 ad 8a 42 12  e9 eb 2c 41 e9 eb 2c 41 ......B.
..,A..,A
000001E0  e9 eb 2c 41 fa e3 45 41  eb eb 2c 41 ec e7 4c 41 ..,A..EA
..,A..LA
000001F0  eb eb 2c 41 ec e7 23 41  f2 eb 2c 41 fa e3 71 41 ..,A..#A
..,A..qA
00000200  eb eb 2c 41 13 c8 35 41  ed eb 2c 41 6a e3 71 41 ..,A..5A
..,Aj.qA
00000210  e6 eb 2c 41 e9 eb 2d 41  f6 ea 2c 41 ec e7 73 41 ..,A..-A
..,A..sA
00000220  51 eb 2c 41 05 e0 72 41  e8 eb 2c 41 ec e7 76 41 Q.,A..rA
..,A..vA
00000230  e8 eb 2c 41 52 69 63 68  e9 eb 2c 41 00 00 00 00 ..,ARich
..,A....
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........
........
00000250  00 00 00 00 50 45 00 00  4c 01 04 00 d0 84 34 46 ....PE..
L.....4F
...stuff deleted...

However, if I take that same putty.exe file, and download it from the
Apache/Linux server where I  hosted it, the rule does fire.  

00000000  47 45 54 20 2f 70 75 74  74 79 2e 65 78 65 20 48 GET /put
ty.exe H
00000010  54 54 50 2f 31 2e 31 0d  0a 48 6f 73 74 3a 20 36 TTP/1.1.
.Host: 6
00000020  38 2e 33 33 2e 31 32 35  2e 31 38 39 0d 0a 55 73 8.33.125
.189..Us
00000030  65 72 2d 41 67 65 6e 74  3a 20 4d 6f 7a 69 6c 6c er-Agent :
Mozill
00000040  61 2f 35 2e 30 20 28 57  69 6e 64 6f 77 73 3b 20 a/5.0 (W
indows; 
00000050  55 3b 20 57 69 6e 64 6f  77 73 20 4e 54 20 35 2e U; Windo ws
NT 5.
00000060  31 3b 20 65 6e 2d 55 53  3b 20 72 76 3a 31 2e 38 1; en-US ;
rv:1.8
00000070  2e 31 2e 34 29 20 47 65  63 6b 6f 2f 32 30 30 37 .1.4) Ge
cko/2007
00000080  30 35 31 35 20 46 69 72  65 66 6f 78 2f 32 2e 30 0515 Fir
efox/2.0
00000090  2e 30 2e 34 0d 0a 41 63  63 65 70 74 3a 20 74 65 .0.4..Ac
cept: te
000000A0  78 74 2f 78 6d 6c 2c 61  70 70 6c 69 63 61 74 69 xt/xml,a
pplicati
000000B0  6f 6e 2f 78 6d 6c 2c 61  70 70 6c 69 63 61 74 69 on/xml,a
pplicati
000000C0  6f 6e 2f 78 68 74 6d 6c  2b 78 6d 6c 2c 74 65 78 on/xhtml
+xml,tex
000000D0  74 2f 68 74 6d 6c 3b 71  3d 30 2e 39 2c 74 65 78 t/html;q
=0.9,tex
000000E0  74 2f 70 6c 61 69 6e 3b  71 3d 30 2e 38 2c 69 6d t/plain;
q=0.8,im
000000F0  61 67 65 2f 70 6e 67 2c  2a 2f 2a 3b 71 3d 30 2e age/png,
*/*;q=0.
00000100  35 0d 0a 41 63 63 65 70  74 2d 4c 61 6e 67 75 61 5..Accep
t-Langua
00000110  67 65 3a 20 65 6e 2d 75  73 2c 65 6e 3b 71 3d 30 ge: en-u
s,en;q=0
00000120  2e 35 0d 0a 41 63 63 65  70 74 2d 45 6e 63 6f 64 .5..Acce
pt-Encod
00000130  69 6e 67 3a 20 67 7a 69  70 2c 64 65 66 6c 61 74 ing: gzi
p,deflat
00000140  65 0d 0a 41 63 63 65 70  74 2d 43 68 61 72 73 65 e..Accep
t-Charse
00000150  74 3a 20 49 53 4f 2d 38  38 35 39 2d 31 2c 75 74 t: ISO-8
859-1,ut
00000160  66 2d 38 3b 71 3d 30 2e  37 2c 2a 3b 71 3d 30 2e f-8;q=0.
7,*;q=0.
00000170  37 0d 0a 4b 65 65 70 2d  41 6c 69 76 65 3a 20 33 7..Keep-
Alive: 3
00000180  30 30 0d 0a 43 6f 6e 6e  65 63 74 69 6f 6e 3a 20 00..Conn
ection: 
00000190  6b 65 65 70 2d 61 6c 69  76 65 0d 0a 52 65 66 65 keep-ali
ve..Refe
000001A0  72 65 72 3a 20 68 74 74  70 3a 2f 2f 36 38 2e 33 rer: htt
p://68.3
000001B0  33 2e 31 32 35 2e 31 38  39 2f 44 61 76 65 48 5f 3.125.18
9/DaveH_
000001C0  69 6e 64 65 78 2e 68 74  6d 6c 0d 0a 0d 0a       index.ht
ml....

00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200
OK.
00000010  0a 44 61 74 65 3a 20 57  65 64 2c 20 31 31 20 4a .Date: W ed,
11 J
00000020  75 6c 20 32 30 30 37 20  31 33 3a 35 39 3a 34 36 ul 2007
13:59:46
00000030  20 47 4d 54 0d 0a 53 65  72 76 65 72 3a 20 41 70  GMT..Se
rver: Ap
00000040  61 63 68 65 0d 0a 4c 61  73 74 2d 4d 6f 64 69 66 ache..La
st-Modif
00000050  69 65 64 3a 20 53 75 6e  2c 20 32 39 20 41 70 72 ied: Sun , 29
Apr
00000060  20 32 30 30 37 20 31 33  3a 30 32 3a 33 37 20 47  2007 13
:02:37 G
00000070  4d 54 0d 0a 45 54 61 67  3a 20 22 39 62 63 32 63 MT..ETag :
"9bc2c
00000080  38 2d 36 66 30 30 30 2d  66 62 39 32 66 35 34 30 8-6f000-
fb92f540
00000090  22 0d 0a 41 63 63 65 70  74 2d 52 61 6e 67 65 73 "..Accep
t-Ranges
000000A0  3a 20 62 79 74 65 73 0d  0a 43 6f 6e 74 65 6e 74 : bytes.
.Content
000000B0  2d 4c 65 6e 67 74 68 3a  20 34 35 34 36 35 36 0d -Length:
454656.
000000C0  0a 43 6f 6e 6e 65 63 74  69 6f 6e 3a 20 63 6c 6f .Connect ion:
clo
000000D0  73 65 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65 se..Cont
ent-Type
000000E0  3a 20 61 70 70 6c 69 63  61 74 69 6f 6e 2f 6f 63 : applic
ation/oc
000000F0  74 65 74 2d 73 74 72 65  61 6d 0d 0a 0d 0a       tet-stre
am....
000000FE  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00 MZ......
........
0000010E  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00 ........
@.......
0000011E  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........
........
0000012E  00 00 00 00 00 00 00 00  00 00 00 00 00 01 00 00 ........
........
0000013E  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68 ........
!..L.!Th
0000014E  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f is progr am
canno
0000015E  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20 t be run  in
DOS 
0000016E  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00 mode....
$.......
0000017E  ad 8a 42 12 e9 eb 2c 41  e9 eb 2c 41 e9 eb 2c 41 ..B...,A
..,A..,A
0000018E  fa e3 45 41 eb eb 2c 41  ec e7 4c 41 eb eb 2c 41 ..EA..,A
..LA..,A
0000019E  ec e7 23 41 f2 eb 2c 41  fa e3 71 41 eb eb 2c 41 ..#A..,A
..qA..,A
000001AE  13 c8 35 41 ed eb 2c 41  6a e3 71 41 e6 eb 2c 41 ..5A..,A
j.qA..,A
000001BE  e9 eb 2d 41 f6 ea 2c 41  ec e7 73 41 51 eb 2c 41 ..-A..,A
..sAQ.,A
000001CE  05 e0 72 41 e8 eb 2c 41  ec e7 76 41 e8 eb 2c 41 ..rA..,A
..vA..,A
000001DE  52 69 63 68 e9 eb 2c 41  00 00 00 00 00 00 00 00 Rich..,A
........
000001EE  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........
........
000001FE  50 45 00 00 4c 01 04 00  d0 84 34 46 00 00 00 00 PE..L...
..4F....
...stuff deleted...

The HTTP headers are a little different in the two cases, but it is not
obvious to me that it should  make any differnce.  In both cases you can
do the indirection arithmetic and see that the PE header is  located
where it should be.  I thought maybe the Content-Type header could have
something to do with  it, so on the server where I was hosting
putty.exe, I added the application/x-msdos-program mime type  so the
server would send the same header as
http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.   If the
Content-Type header was involved somehow, I would expect my rule to fail
when I download  putty.exe from my server.  But, it continues to work
just fine, and it seems to work well in many  cases as we're getting
lots of detections on the rule.  I just don't see what's different about
downloading from http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.


Hopefully someone can explain this and perhaps offer a more reliable
rule.

Here's the simple little web page that I used for hosting the
executables.

<HTML>
<HEAD>
<TITLE>
Test Page
</TITLE>
</HEAD>
<BODY>
Click <a href="/notepad.exe" > here </a> to download notepad.exe
<BR>
<BR>
Click <a href="/putty.exe" > here </a> to download putty.exe
</BODY>
</HTML>




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users