[Snort-users] Snort rule to detect Windows PE ExecutableDownloads

Paul Melson pmelson at ...11827...
Thu Jul 12 14:24:14 EDT 2007


> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE
or DLL Windows file download"; 
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE
Install Windows file download"; 
>
> If you are running the Bleedingthreats rules, this signatures are
commented out by default.

The "This program must..." strings will not match on most current packed PE
files, which is what I assume David is trying to detect.

PaulM






More information about the Snort-users mailing list