[Snort-sigs] RE: Snort Rule Howto

James Riden j.riden at ...1766...
Sat Aug 28 21:37:01 EDT 2004

Andrews Carl 448 <Carl.Andrews at ...2744...> writes:

>    Why do my questions not get posted? I am a member of the list.
>    -----Original Message-----
>    From: Andrews Carl 448
>    Sent: Friday, August 20, 2004 12:30 PM
>    To: Andrews Carl 448; 'snort-sigs at lists.sourceforge.net'
>    Subject: RE: Snort Rule Howto
>    -----Original Message-----
>    From: Andrews Carl 448
>    Sent: Thursday, August 19, 2004 2:10 PM
>    To: snort-sigs at lists.sourceforge.net
>    Subject: Snort Rule Howto
>    Hi! If anyone can help, it would be much appreciated.
>    I need to write a rule(s) to block certain types of files from
>    crossing the network to/from a computer. For instance, I would like to
>    use the FLEXRESP option to terminate a connection if and EXE,DLL,ZIP,
>    etc is copied to or from this server.

The short answer is I think you'll have too many false positives to do
it this way; I certainly had to turn some similar snort rules off
because they were firing on people discussing '.exe' files in
email and web pages.

Otherwise, bleedingsnort.com has some rules about executable files I
believe - they would be a good starting point.

James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Snort-sigs mailing list