Snort mailing list archives
Re: .exe
From: "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>
Date: Mon, 6 May 2013 18:06:23 +0000
I've been able to find the 2000419 rule within the emerging threats rule file, however, I have not been able to find the 2015744 rule. I have spent some time searching and after no success thought I'd ask for some assistance. This is the link I used: http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules Thanks for the help. Brian From: Caleb Jaren [mailto:tropism.prophet () gmail com] Sent: Sunday, May 05, 2013 1:52 AM To: waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] .exe Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files. On May 4, 2013 7:30 PM, "waldo kitty" <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 5/4/2013 16:34, tarik shalo wrote:Hi, I had to collect and put your responses from the mailing list into this email, because I didn't get the reply messages in my email.i don't know how others do it but i only reply to the list unless special circumstances are in play... you should be getting all messages from the list... if you aren't, you might want to check our spam bucket ;)Anyway, What I was trying to accomplish was to write a rule that fires when executable files are downloaded from any web server. For that, I put .exe file in a web server and requested that file via httpfrom the machine that runs Snort. After removing the"flow:to_server,established" from the rule, the rule fired but from your responses, I think I was not doing it the right way. Could you suggest me a better way?well, the thing is that detecting the extension is not going to be complete... you need to detect the binary signature(s)... some DOS/Winwhatever EXEs start with MZ while most of todays stuff starts with PE but there's a bit more to it than just that... additionally, it is not just a "content" detection anywhere like in headers which your rule would catch... VRT has numerous rules which work for detecting items like this... in particular, the file-executable.rules which set flowbits (without an alert) indicating that such a file was detected and then other rules are used to detect if the flowbit is set as well as looking at other aspects of the data to determine if an alert should be fired for policy violations or malware or such... so basically, you cannot detect an EXE file simply by looking for ".exe" in the traffic... you have to detect the signature of an executable binary... that means looking inside binary files to see what is uniform to be used for detection...Also, in which rule files are the emerging threat rules 2000419 and 2015744?those are in the Emerging Threats rules set... it is distributed by Emerging Threats and completely separate from the VRT rules... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: .exe, (continued)