[Snort-users] Snort rule to detect Windows PE Executable Downloads

Jeffrey Denton dentonj at ...11827...
Thu Jul 12 13:10:06 EDT 2007


On 7/12/07, Humes, David G. <David.Humes at ...383...> wrote:
> I would like to have a Snort rule to reliably detect the download of a
> Windows PE executable file.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE or DLL Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program cannot be run in DOS
mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0;
classtype: misc-activity; sid: 2000419; rev:6; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE Install Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program must be run under Win32";
distance: 0; isdataat: 140,relative; content:"PE"; distance: 0;
reference:url,www.program-transformation.org/Transform/PcExeFormat;
classtype: misc-activity; sid: 2000427; rev:6; )


If you are running the Bleedingthreats rules, this signatures are
commented out by default.




More information about the Snort-users mailing list