Home page logo
/

snort logo Snort mailing list archives

Re: .exe
From: tarik shalo <tarikshalo () gmail com>
Date: Sat, 4 May 2013 23:34:16 +0300

Hi,

I had to collect and put your responses from the mailing list into
this email, because I didn't get the reply messages in my email.
Anyway, What I was trying to accomplish was to write a rule that fires
when executable files are downloaded from any web server. For that, I
put .exe file in a web server and requested that file via httpfrom the
machine that runs Snort. After removing the
"flow:to_server,established" from the rule, the rule fired but from
your responses, I think I was not doing it the right way. Could you
suggest me a better way? Also, in which rule files are the emerging
threat rules 2000419 and 2015744?

-Thanks all guys


This is the response from waldo kitty.
FWIW: this rule will not detect .exe files only... what it detects is the
content of ".exe" in any traffic being *sent to a server*...

this post should fire this rule if snort is looking at your mail server's
connection when this message arrives... in fact, every message in this thread
should have fired your rule when they hit your smtp server if snort is in the
right place to see it...


The VRT ruleset contains rules looking for PE files also...

Sent from the iRoad

On May 4, 2013, at 7:18, James Lay <digitalx00 () gmail com> wrote:

Ho are you trying to test?  Also check out Emerging Threat rules 2000419 and \
2015744 for more info on rules that hit on exe.
James

On May 4, 2013, at 5:46 AM, tarik shalo <tarikshalo () gmail com> wrote:

Hello,

I wrote the following rule to test if Snort fires when any executable files are \
downloaded. However, the rule is not firing for some reason. Any help or other \
option to accomplish the same goal, pls?
alert any any -> any any (msg: ".exe found"; flow:to_server,established; \
content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; )
-Shalo
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]