Re: [Snort-users] Snort rule to detect Windows PE
This is a discussion on Re: [Snort-users] Snort rule to detect Windows PE within the Snort forums, part of the System Security and Security Related category; Well put Jeffrrey, thanks. Note: Those are commented out because they aren't of interest to all networks. They ARE ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-13-2007
|
|||
|
|||
Re: [Snort-users] Snort rule to detect Windows PE
Well put Jeffrrey, thanks.
Note: Those are commented out because they aren't of interest to all networks. They ARE reliable, just not an indication of hostile activity. Just a policy thing. I use them in a lot of places and have great results. Matt > -----Original Message----- > From: snort-users-bounces@lists.sourceforge.net > [mailto:snort-users-bounces@lists.sourceforge.net] On Behalf > Of Jeffrey Denton > Sent: Friday, July 13, 2007 3:10 AM > To: Humes, David G. > Cc: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] Snort rule to detect Windows PE > ExecutableDownloads > > On 7/12/07, Humes, David G. <David.Humes@jhuapl.edu> wrote: > > I would like to have a Snort rule to reliably detect the > download of a > > Windows PE executable file. > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE > EXE or DLL Windows file download"; flow: established; content:"MZ"; > isdataat: 76,relative; content:"This program cannot be run in DOS > mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; > classtype: misc-activity; sid: 2000419; rev:6; ) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE > EXE Install Windows file download"; flow: established; content:"MZ"; > isdataat: 76,relative; content:"This program must be run under Win32"; > distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; > reference:url,http://www.program-transformation.or...m/PcExeFormat; > classtype: misc-activity; sid: 2000427; rev:6; ) > > > If you are running the Bleedingthreats rules, this signatures are > commented out by default. > > -------------------------------------------------------------- > ----------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
