Re: [Snort-users] Snort rule to detect Windows PE Executable

On 7/12/07, Humes, David G. <David.Humes@jhuapl.edu> wrote:
> I would like to have a Snort rule to reliably detect the download of a
> Windows PE executable file.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE or DLL Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program cannot be run in DOS
mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0;
classtype: misc-activity; sid: 2000419; rev:6; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE Install Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program must be run under Win32";
distance: 0; isdataat: 140,relative; content:"PE"; distance: 0;
reference:url,http://www.program-transformation.or...m/PcExeFormat;
classtype: misc-activity; sid: 2000427; rev:6; )


If you are running the Bleedingthreats rules, this signatures are
commented out by default.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users