[Snort-users] Snort rule to detect Windows PE Executable Downloads

Humes, David G. David.Humes at ...383...
Thu Jul 12 13:56:32 EDT 2007


Yes, I saw those rules.  While they should be fairly reliable, the DOS
stub that prints "This program cannot be run in DOS mode" is not
guarantied.  A malware author can link in their own DOS stub that
includes whatever he or she wants.  Also, some file-infecting malware
overwrites the DOS stub.  So, I'd rather not rely on that string.

> -----Original Message-----
> From: Jeffrey Denton [mailto:dentonj at ...11827...] 
> Sent: Thursday, July 12, 2007 1:10 PM
> To: Humes, David G.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort rule to detect Windows PE 
> Executable Downloads
> 
> 
> On 7/12/07, Humes, David G. <David.Humes at ...383...> wrote:
> > I would like to have a Snort rule to reliably detect the 
> download of a 
> > Windows PE executable file.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: 
> "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: 
> established; content:"MZ";
> isdataat: 76,relative; content:"This program cannot be run in 
> DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; 
> distance: 0;
> classtype: misc-activity; sid: 2000419; rev:6; )
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: 
> "BLEEDING-EDGE PE EXE Install Windows file download"; flow: 
> established; content:"MZ";
> isdataat: 76,relative; content:"This program must be run under Win32";
> distance: 0; isdataat: 140,relative; content:"PE"; distance: 
> 0; reference:url,www.program-transformation.org/Transform/PcExeFormat;
> classtype: misc-activity; sid: 2000427; rev:6; )
> 
> 
> If you are running the Bleedingthreats rules, this signatures 
> are commented out by default.
> 




More information about the Snort-users mailing list