[Snort-sigs] Suspicious File Extensions

Matthew Jonkman matt at ...2436...
Mon Jul 19 17:10:07 EDT 2004


This rule is up on bleedingsnort.com now. It's a rewrite of the 
snort.org sid 721. The snort.org rules hits on everything imaginable, 
most I'm not aware of any credible threats in the file types being 
detected (i.e. xls, vcf, ppt, rtf, dot, or pdf). This rule is scaled 
back to not detect those. Please correct me if I'm wrong there.

Let me know if this is still hitting on the good ones, and if you have 
an opinion on others to drop or put back in. This makes the rule actualy 
useful.

This rule will (should) hit on the following:
ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, emf, 
eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi,
msp, nws, ocx, pif, pl, pm, pot, pps, reg, scr, shs, swf, sys, vb, vbe, 
vbs, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh, xlt, xlw


Be SURE to disable sid 721 in the snort.org sets if you use this rule I 
think it'll mean more to you in this form.

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
OUTBOUND Suspicious Email Attachment"; flow:to_server,established; 
content:"Content-Disposition|3A|"; nocase; 
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c([ho]m|li|md|pp)|d(iz|ll)|e(m[fl]|xe)|h(lp|sq|ta)|jse
?|m(d[abew]|s[ip])|p(ps|if|[lm]|ot)|reg|s(cr|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; 
classtype:suspicious-filename-detect; sid:2000562; rev:1;)

Here's rule 721 from the snort.org sets that this one replaces:

# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: virus.rules,v 1.25 2004/05/21 21:37:15 cazz Exp $
#------------
# VIRUS RULES
#------------
#
# We don't care about virus rules anymore.  BUT, you people won't stop 
asking
# us for virus rules.  So... here ya go.
#
# There is now one rule that looks for any of the following attachment 
types:
#
#   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, 
dot, emf,
#   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, 
msp,
#   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
#   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, 
wsf, wsh,
#   xls, xlt, xlw
#

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad 
file attachment"; flow:to_server,established; content:"Content-Dispos
ition|3A|"; nocase; 
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)
[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:7;)





More information about the Snort-sigs mailing list