[Snort-users] [Snort-sigs] Snort rule to detect Windows PE Executable Downloads

Humes, David G. David.Humes at ...383...
Fri Jul 13 09:02:36 EDT 2007


Removing the depth:2 option seems to have no visible effect.  The rule
continues to fire on the examples where it worked previously, and fails
on the same ones where it didn't work before.  

> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net 
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf 
> Of Matt Jonkman
> Sent: Thursday, July 12, 2007 11:32 PM
> To: Humes, David G.
> Cc: snort-sigs at lists.sourceforge.net; 
> snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect 
> Windows PE Executable Downloads
> 
> 
> 
> 
> Humes, David G. wrote:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable 
> > Download"; content:"MZ"; depth:2; 
> > byte_jump:4,60,little,from_beginning;
> > content:"PE|00 00|"; within:4; flow:established,from_server;
> > sid:8000143; classtype:bad-unknown; rev:1;)
> > 
> > It works this executable, http://www.cygwin.com/setup.exe, but not 
> > using this,  
> http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.  
> > Why? Could anyone try it on their sensors and let me know if it 
> > behaves any differently.  Or if anyone has any suggestions 
> on how to 
> > do this that does not involve matching the "!This program cannot be 
> > run in DOS mode." string, that would be appreciated.  Sorry Matt, I 
> > just don't think you can depend on that string any more.
> 
> I think you're right.
> 
> The issue with the above is you're assuming the exe is 
> starting at the beginning of the packet/stream, which it'll 
> not likely be. Drop the depth and try it that way. little 
> higher load, but should be more reliable.
> 
> If that does the trick then we can put the appropriate 
> versions into the bleeding ruleset, and adjust the existing 
> to not look for the dos string.
> 
> Matt
> 
> > 
> > I will take a look at the PEHunter plugin that Jamie 
> suggests.  But, I 
> > think the rule, or something very similar, should work in all cases.
> > 
> > Thanks.
> > 
> > --Dave
> > 
> > 
> > 
> ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> -- 
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> 765-429-0398
> http://www.bleedingthreats.net
> --------------------------------------------
> 
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
> 
> 
> 
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and 
> take control of your XML. No limits. Just data. Click to get 
> it now. http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list