[Snort-users] Snort rule to detect Windows PE ExecutableDownloads

Matt Jonkman jonkman at ...14019...
Thu Jul 12 18:55:21 EDT 2007


Well put Jeffrrey, thanks.

Note: Those are commented out because they aren't of interest to all
networks. They ARE reliable, just not an indication of hostile activity.
Just a policy thing. 

I use them in a lot of places and have great results. 

Matt 

> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net 
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf 
> Of Jeffrey Denton
> Sent: Friday, July 13, 2007 3:10 AM
> To: Humes, David G.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort rule to detect Windows PE 
> ExecutableDownloads
> 
> On 7/12/07, Humes, David G. <David.Humes at ...383...> wrote:
> > I would like to have a Snort rule to reliably detect the 
> download of a
> > Windows PE executable file.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
> EXE or DLL Windows file download"; flow: established; content:"MZ";
> isdataat: 76,relative; content:"This program cannot be run in DOS
> mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0;
> classtype: misc-activity; sid: 2000419; rev:6; )
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
> EXE Install Windows file download"; flow: established; content:"MZ";
> isdataat: 76,relative; content:"This program must be run under Win32";
> distance: 0; isdataat: 140,relative; content:"PE"; distance: 0;
> reference:url,www.program-transformation.org/Transform/PcExeFormat;
> classtype: misc-activity; sid: 2000427; rev:6; )
> 
> 
> If you are running the Bleedingthreats rules, this signatures are
> commented out by default.
> 
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list