Home page logo
/

snort logo Snort mailing list archives

Re: .exe
From: Jeff Kell <jeff-kell () utc edu>
Date: Sun, 5 May 2013 02:03:46 -0400

On 5/5/2013 1:51 AM, Caleb Jaren wrote:

Try flow:from_server,established; and instead of the string ".exe" try
content:"|4d 5a|"; which is equivalent to the text string "MZ" found
at the beginning of most PE files.


And based on that alone, on any random data stream matching on two bytes
"4d 5a" you're going to get a hit every 64K data packets.  If you're
including SSL/TLS/VPN/etc encrypted traffic you're going to hit.

It's one thing to create a signature to detect a "known thing".  It's
another thing entirely to reduce or eliminate false positives.

The former will gain you points on the "canned" IDS/IPS test suites. 
The latter will gain you points in the real world.

Jeff
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]