Re: Rules to Alert on Same System(Word Doc)

[Mike Rippey via Snort-users <snort-users () lists snort org>]

Thank you for the reply. I actually am attempting to catch the payload
generated traffic, if this possible.

I am starting from the malicious doc already being on the client desktop,
and then executing it from there which connects out to Google.

I am thinking the below rule would be a good start to catch client
initiated traffic to external. If this works, I just need to figure the
rest of the rule which I would think the file-identify.rules would help.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(flow:to_server,established;)

On Thu, Sep 20, 2018, 23:48 Carter Waxman (cwaxman) <cwaxman () cisco com>
wrote:

> If client, server, and sensor are the same machine (assuming you are
> catching the file in flight not the payload-generated traffic), you want
> $HOME_NET any -> $HOME_NET 80. Additionally, the port direction and
> flow:to_server,established will only alert on upload, so check that it’s
> what you want.
>
> - Carter
>
> On 9/20/18, 10:18 AM, "Snort-users on behalf of Mike via Snort-users" <
> snort-users-bounces () lists snort org on behalf of
> snort-users () lists snort org> wrote:
>
>     I was able to successfully install Snort on Windows 10 and am able to
>     receive alerts with the current rules I have enabled for other tests.
> I
>     am collecting on the same machine Snort is installed on, and I am
> using
>     the "-k none" switch when I start Snort.
>
>     I am conducting research in my lab to see how Snort responds to these
>     types of files and at the same time learn to write effective rules.
>
>     I have created a malicious (for test) Word doc that uses DDE to open a
>     Chrome browser and open up google.com.  There are numerous rules for
>     Office files, but most are geared towards traffic over mail
>     client/server ports and no matter how I tweak my rules, I am not able
> to
>     get an alert when I run the document.
>
>     Since the traffic is originating from the same system, should the
> rules
>     start:
>
>     "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field
>     exploit"; flow:to_server,established; file_data;....?"
>
>     Any help on if this can be done, or what the payload or rule is
> missing
>     would be greatly appreciated.
>
>
>     R/S
>
>     Mike
>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists snort org
>     Go to this URL to change user options or unsubscribe:
>     https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
>     Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>     Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette