Home page logo
/

snort logo Snort mailing list archives

Re: .exe
From: Caleb Jaren <tropism.prophet () gmail com>
Date: Sat, 4 May 2013 22:51:49 -0700

Try flow:from_server,established; and instead of the string ".exe" try
content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the
beginning of most PE files.

On May 4, 2013 7:30 PM, "waldo kitty" <wkitty42 () windstream net> wrote:

On 5/4/2013 16:34, tarik shalo wrote:
Hi,

I had to collect and put your responses from the mailing list into this
email, because I didn't get the reply messages in my email.

i don't know how others do it but i only reply to the list unless special
circumstances are in play... you should be getting all messages from the
list...
if you aren't, you might want to check our spam bucket ;)

Anyway, What I was trying to accomplish was to write a rule that fires
when
executable files are downloaded from any web server. For that, I put
.exe
file in a web server and requested that file via httpfrom the machine
that
runs Snort. After removing the"flow:to_server,established"  from the
rule,
the rule fired but from your responses, I think I was not doing it the
right
way. Could you suggest me a better way?

well, the thing is that detecting the extension is not going to be
complete...
you need to detect the binary signature(s)... some DOS/Winwhatever EXEs
start
with MZ while most of todays stuff starts with PE but there's a bit more
to it
than just that...

additionally, it is not just a "content" detection anywhere like in
headers
which your rule would catch... VRT has numerous rules which work for
detecting
items like this... in particular, the file-executable.rules which set
flowbits
(without an alert) indicating that such a file was detected and then
other rules
are used to detect if the flowbit is set as well as looking at other
aspects of
the data to determine if an alert should be fired for policy violations or
malware or such...

so basically, you cannot detect an EXE file simply by looking for ".exe"
in the
traffic... you have to detect the signature of an executable binary...
that
means looking inside binary files to see what is uniform to be used for
detection...

Also, in which rule files are the emerging threat rules 2000419 and
2015744?

those are in the Emerging Threats rules set... it is distributed by
Emerging
Threats and completely separate from the VRT rules...

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault