Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule to detect Windows PE ExecutableDownloads

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 12 Jul 2007 14:24:14 -0400
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE

or DLL Windows file download"; 


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE

Install Windows file download"; 


If you are running the Bleedingthreats rules, this signatures are

commented out by default.

The "This program must..." strings will not match on most current packed PE
files, which is what I assume David is trying to detect.

PaulM



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: