[Snort-users] msg update for these, please?

Alex Kirk akirk at ...1935...
Tue Sep 28 14:38:38 EDT 2010


On Tue, Sep 28, 2010 at 2:13 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 9/28/2010 14:00, Alex Kirk wrote:
> > Actually, they both look for PE files headed towards a client - the first
> looks
> > for the PE signature itself coming down, the second for a request for a
> .exe.
>
> hey, alex, thanks... i was looking at the flow:to_client and flow:to_server
> aspect of them ;)
>
> dn? 15306 $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client
> up? 16425 $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server
>

Not sure what you're asking here. Yes, SID 15306 is for data traveling
"down" to the client, 16425 looks at a packet coming "up" from the client -
which will then trigger data coming back "down" from the server that you may
not want.


>
> > Duplicate messages are generally no fun, though, so how about making the
> second
> > one "WEB-CLIENT Portable Executable binary file transfer - .exe in URI"?
>
> that might work but see above... ;)
>
> > On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> >
> >
> >     can we get a MSG update for these, please??
> >
> >     OLD:
> >     15306   WEB-CLIENT Portable Executable binary file transfer
> >     16425   WEB-CLIENT Portable Executable binary file transfer
> >
> >     NEW:
> >     15306   WEB-CLIENT Portable Executable binary file transfer to client
> >     16425   WEB-CLIENT Portable Executable binary file transfer to server
> >
> >     or some such?
> >
> >     thanks!
>
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100928/a5a2df59/attachment.html>


More information about the Snort-users mailing list