Signature 17210

[K Vijaya Sai Prasanth <sai.prashanth () isgn com>]

Hello snort users,

Can anyone explain when this rule is triggered and how any false positives can be mitigated? I see that this is the 
rule definition. Can someone please interpret this?



alert tcp any [139,445] -> $HOME_NET any (msg:"POLICY Portable Executable binary file transfer over SMB"; 
flow:to_client,established;content:"|FF|SMB";depth:4;offset:4;byte_jump:1,28,relative,multiplier 2;content:"MZ|90 
00|";within:4;distance:2;byte_jump:4,56,relative,little;content:"PE|00 00|";within:4;distance:-64; 
classtype:policy-violation; sid:17210; rev:1;)



SID 17210

< Back<http://www.snort.org/search/>

Msg

FILE-EXECUTABLE Portable Executable binary file transfer over SMB

Rev

3

Classtype

policy-violation


Also, This is the snort build that I use. How do I update my rules database and settings? Please advice.

[root@xxxxxx rules]# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6 (Build 38)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006


Regards,
K Vijaya Sai Prasanth
Information Security Analyst

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!