Snort mailing list archives
Re: Snort rule to detect Windows PE ExecutableDownloads
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 12 Jul 2007 14:24:14 -0400
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE
or DLL Windows file download";
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE
Install Windows file download";
If you are running the Bleedingthreats rules, this signatures are
commented out by default. The "This program must..." strings will not match on most current packed PE files, which is what I assume David is trying to detect. PaulM ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Paul Melson (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Will Metcalf (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)