[Snort-users] msg update for these, please?

waldo kitty wkitty42 at ...14940...
Tue Sep 28 14:13:00 EDT 2010


On 9/28/2010 14:00, Alex Kirk wrote:
> Actually, they both look for PE files headed towards a client - the first looks
> for the PE signature itself coming down, the second for a request for a .exe.

hey, alex, thanks... i was looking at the flow:to_client and flow:to_server 
aspect of them ;)

dn? 15306 $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client
up? 16425 $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server

> Duplicate messages are generally no fun, though, so how about making the second
> one "WEB-CLIENT Portable Executable binary file transfer - .exe in URI"?

that might work but see above... ;)

> On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>
>     can we get a MSG update for these, please??
>
>     OLD:
>     15306   WEB-CLIENT Portable Executable binary file transfer
>     16425   WEB-CLIENT Portable Executable binary file transfer
>
>     NEW:
>     15306   WEB-CLIENT Portable Executable binary file transfer to client
>     16425   WEB-CLIENT Portable Executable binary file transfer to server
>
>     or some such?
>
>     thanks!






More information about the Snort-users mailing list