Snort mailing list archives
Re: Rules to Alert on Same System(Word Doc)
From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 20 Sep 2018 14:48:10 +0000
If client, server, and sensor are the same machine (assuming you are catching the file in flight not the
payload-generated traffic), you want $HOME_NET any -> $HOME_NET 80. Additionally, the port direction and
flow:to_server,established will only alert on upload, so check that it’s what you want.
- Carter
On 9/20/18, 10:18 AM, "Snort-users on behalf of Mike via Snort-users" <snort-users-bounces () lists snort org on behalf
of snort-users () lists snort org> wrote:
I was able to successfully install Snort on Windows 10 and am able to
receive alerts with the current rules I have enabled for other tests. I
am collecting on the same machine Snort is installed on, and I am using
the "-k none" switch when I start Snort.
I am conducting research in my lab to see how Snort responds to these
types of files and at the same time learn to write effective rules.
I have created a malicious (for test) Word doc that uses DDE to open a
Chrome browser and open up google.com. There are numerous rules for
Office files, but most are geared towards traffic over mail
client/server ports and no matter how I tweak my rules, I am not able to
get an alert when I run the document.
Since the traffic is originating from the same system, should the rules
start:
"alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field
exploit"; flow:to_server,established; file_data;....?"
Any help on if this can be done, or what the payload or rule is missing
would be greatly appreciated.
R/S
Mike
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Rules to Alert on Same System(Word Doc) Mike via Snort-users (Sep 20)
- Re: Rules to Alert on Same System(Word Doc) Carter Waxman (cwaxman) via Snort-users (Sep 20)
- Re: Rules to Alert on Same System(Word Doc) Mike Rippey via Snort-users (Sep 20)
- Re: Rules to Alert on Same System(Word Doc) Carter Waxman (cwaxman) via Snort-users (Sep 20)