[Snort-users] Hello

Matt Olney molney at ...1935...
Fri Apr 2 08:27:01 EDT 2010


You can look for the client request:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL .exe
download request"; flow: to_server, established; content:".exe"; http_uri;
nocase; pcre:"/\.exe(\?|$)/Ui"; classtype: attempted-admin; sid: 8;)

You can look for server response:

2.8.5 Compliant:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file
detct"; content:"MZ"; byte_jump: 4, 58, relative, little, post_offset -64;
content:"PE"; distance: 0; within: 2; classtype: attempted-admin; sid: 6;)

2.8.6 Compliant:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file
detct"; file_data; content:"MZ"; depth: 2; byte_jump: 4, 58, relative,
little, post_offset -64; content:"PE"; distance: 0; within: 2; classtype:
attempted-admin; sid: 7;)

Matt

On Fri, Apr 2, 2010 at 4:16 AM, vishesh kumar <linuxtovishesh at ...11827...>wrote:

> I want to create rule that alert me when any exe downloaded using http
> from internet
> Thanks
>
> On 4/1/10, Mike Lococo <mikelococo at ...11827...> wrote:
> >> My query is i want to monitor exe downloads in my network, how can
> >> i achieve that ?
> >
> > The Emerging Threats project has sigs to monitor for win32 executable
> > downloads.  See the following post/thread:
> >
> >
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-August/003438.html
> >
> > You should also really consider using a more descriptive subject line in
> > the future: http://www.catb.org/~esr/faqs/smart-questions.html
> >
> > Cheers,
> > Mike Lococo
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> --
> Sent from my mobile device
>
> http://linuxinterviews.blogspot.com
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100402/a9e30e8c/attachment.html>


More information about the Snort-users mailing list