Re: .exe

[waldo kitty <wkitty42 () windstream net>]

On 5/5/2013 02:03, Jeff Kell wrote:
> On 5/5/2013 1:51 AM, Caleb Jaren wrote:
> > Try flow:from_server,established; and instead of the string ".exe" try
> > content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the
> > beginning of most PE files.
>
> And based on that alone, on any random data stream matching on two bytes "4d 5a"
> you're going to get a hit every 64K data packets. If you're including
> SSL/TLS/VPN/etc encrypted traffic you're going to hit.

agreed... the 'content:"|4d 5a|"' one needs to be followed by an offset 
indication as well as being restricted to the proper buffer...

> It's one thing to create a signature to detect a "known thing". It's another
> thing entirely to reduce or eliminate false positives.

you got that right! :)

> The former will gain you points on the "canned" IDS/IPS test suites. The latter
> will gain you points in the real world.

very true :)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!