Home page logo

snort logo Snort mailing list archives

Re: .exe
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 05 May 2013 02:49:52 -0400

On 5/5/2013 02:03, Jeff Kell wrote:
On 5/5/2013 1:51 AM, Caleb Jaren wrote:

Try flow:from_server,established; and instead of the string ".exe" try
content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the
beginning of most PE files.

And based on that alone, on any random data stream matching on two bytes "4d 5a"
you're going to get a hit every 64K data packets. If you're including
SSL/TLS/VPN/etc encrypted traffic you're going to hit.

agreed... the 'content:"|4d 5a|"' one needs to be followed by an offset 
indication as well as being restricted to the proper buffer...

It's one thing to create a signature to detect a "known thing". It's another
thing entirely to reduce or eliminate false positives.

you got that right! :)

The former will gain you points on the "canned" IDS/IPS test suites. The latter
will gain you points in the real world.

very true :)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]