[Snort-users] [Snort-sigs] Snort rule to detect Windows PE Executable Downloads

Will Metcalf william.metcalf at ...11827...
Fri Jul 13 09:27:10 EDT 2007


You will have to change your byte_jump as well, try making it relative to
your MZ match...

Regards,

Will

On 7/13/07, Humes, David G. <David.Humes at ...383...> wrote:
>
> Removing the depth:2 option seems to have no visible effect.  The rule
> continues to fire on the examples where it worked previously, and fails
> on the same ones where it didn't work before.
>
> > -----Original Message-----
> > From: snort-users-bounces at lists.sourceforge.net
> > [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf
> > Of Matt Jonkman
> > Sent: Thursday, July 12, 2007 11:32 PM
> > To: Humes, David G.
> > Cc: snort-sigs at lists.sourceforge.net;
> > snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect
> > Windows PE Executable Downloads
> >
> >
> >
> >
> > Humes, David G. wrote:
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable
> > > Download"; content:"MZ"; depth:2;
> > > byte_jump:4,60,little,from_beginning;
> > > content:"PE|00 00|"; within:4; flow:established,from_server;
> > > sid:8000143; classtype:bad-unknown; rev:1;)
> > >
> > > It works this executable, http://www.cygwin.com/setup.exe, but not
> > > using this,
> > http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.
> > > Why? Could anyone try it on their sensors and let me know if it
> > > behaves any differently.  Or if anyone has any suggestions
> > on how to
> > > do this that does not involve matching the "!This program cannot be
> > > run in DOS mode." string, that would be appreciated.  Sorry Matt, I
> > > just don't think you can depend on that string any more.
> >
> > I think you're right.
> >
> > The issue with the above is you're assuming the exe is
> > starting at the beginning of the packet/stream, which it'll
> > not likely be. Drop the depth and try it that way. little
> > higher load, but should be more reliable.
> >
> > If that does the trick then we can put the appropriate
> > versions into the bleeding ruleset, and adjust the existing
> > to not look for the dos string.
> >
> > Matt
> >
> > >
> > > I will take a look at the PEHunter plugin that Jamie
> > suggests.  But, I
> > > think the rule, or something very similar, should work in all cases.
> > >
> > > Thanks.
> > >
> > > --Dave
> > >
> > >
> > >
> > ----------------------------------------------------------------------
> > > ---
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > --
> > --------------------------------------------
> > Matthew Jonkman
> > Bleeding Edge Threats
> > 765-429-0398
> > http://www.bleedingthreats.net
> > --------------------------------------------
> >
> > PGP: http://www.bleedingthreats.com/mattjonkman.asc
> >
> >
> >
> > --------------------------------------------------------------
> > -----------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and
> > take control of your XML. No limits. Just data. Click to get
> > it now. http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070713/c73acb1d/attachment.html>


More information about the Snort-users mailing list