[Snort-users] Hello

vishesh kumar linuxtovishesh at ...11827...
Fri Apr 2 10:38:35 EDT 2010


Thanks matt

   I will try and let you inform.


Thanks


On Fri, Apr 2, 2010 at 5:57 PM, Matt Olney <molney at ...1935...> wrote:

>  You can look for the client request:
>
>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL .exe
> download request"; flow: to_server, established; content:".exe"; http_uri;
> nocase; pcre:"/\.exe(\?|$)/Ui"; classtype: attempted-admin; sid: 8;)
>
> You can look for server response:
>
> 2.8.5 Compliant:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file
> detct"; content:"MZ"; byte_jump: 4, 58, relative, little, post_offset -64;
> content:"PE"; distance: 0; within: 2; classtype: attempted-admin; sid: 6;)
>
> 2.8.6 Compliant:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file
> detct"; file_data; content:"MZ"; depth: 2; byte_jump: 4, 58, relative,
> little, post_offset -64; content:"PE"; distance: 0; within: 2; classtype:
> attempted-admin; sid: 7;)
>
> Matt
>
> On Fri, Apr 2, 2010 at 4:16 AM, vishesh kumar <linuxtovishesh at ...11827...>wrote:
>
>> I want to create rule that alert me when any exe downloaded using http
>> from internet
>> Thanks
>>
>> On 4/1/10, Mike Lococo <mikelococo at ...11827...> wrote:
>> >> My query is i want to monitor exe downloads in my network, how can
>> >> i achieve that ?
>> >
>> > The Emerging Threats project has sigs to monitor for win32 executable
>> > downloads.  See the following post/thread:
>> >
>> >
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-August/003438.html
>> >
>> > You should also really consider using a more descriptive subject line in
>> > the future: http://www.catb.org/~esr/faqs/smart-questions.html
>> >
>> > Cheers,
>> > Mike Lococo
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download Intel® Parallel Studio Eval
>> > Try the new software tools for yourself. Speed compiling, find bugs
>> > proactively, and fine-tune applications for parallel performance.
>> > See why Intel Parallel Studio got high marks during beta.
>> > http://p.sf.net/sfu/intel-sw-dev
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>>
>> --
>> Sent from my mobile device
>>
>> http://linuxinterviews.blogspot.com
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>


-- 
http://linuxinterviews.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100402/0973fc05/attachment.html>


More information about the Snort-users mailing list