[Snort-users] msg update for these, please?

Alex Kirk akirk at ...1935...
Tue Sep 28 15:19:45 EDT 2010


>
>
> well, i wasn't really asking anything... i was pointing out what i see in
> the rule... one's a download from a server to the client and the other is an
> upload from the client to a server... actually, "server" may be a misnomer
> here but that could be semantics, too...
>
>
>  Yes, SID 15306 is for data traveling "down" to the client,
>>
>
> yes, that's my take on it, too...
>
>
>  16425 looks at a packet coming "up" from the client -
>>
>
> yes, so the client is uploading a file... possibly a game or
> self-extracting binary to a file distribution channel like on the original
> BBS' where users uploaded and downloaded lottsa files all day long ;)
>
> No, it's not. It's sending a GET request to the server that has a URI which
contains .exe. It's asking for a .exe file.

>
>  which will then trigger data coming back "down" from the server that you
>> may
>> not want.
>>
>
> hunh? where do you see that in 1:16425? it would be the job of /other/
> rules to detect that, wouldn't it? ;)
>

You don't see that in 16425. It's implied, though, from the fact that the
client has requested a .exe file that it's probably going to get such a file
returned to it. While 15306 will generally alert on the file being returned,
we have SID 16425 because some people want to drop outbound requests that
have .exe in the URI.


>
>
> in any case, i really do think it best that the one to the client denotes
> that and the one to the server denotes that as well... no matter what else
> may happen after it gets where it is going :)  i do try to adhere to the
> KISS principle and go with the most simple choice when i can instead of
> over-engineering things ;) :P
>
>
>      > Duplicate messages are generally no fun, though, so how about making
>> the
>>    second
>>     > one "WEB-CLIENT Portable Executable binary file transfer - .exe in
>> URI"?
>>
>>    that might work but see above... ;)
>>
>>     > On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <
>> wkitty42 at ...14940...
>>    <mailto:wkitty42 at ...14940...>
>>     > <mailto:wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>>
>> wrote:
>>     >
>>     >
>>     >     can we get a MSG update for these, please??
>>     >
>>     >     OLD:
>>     >     15306   WEB-CLIENT Portable Executable binary file transfer
>>     >     16425   WEB-CLIENT Portable Executable binary file transfer
>>     >
>>     >     NEW:
>>     >     15306   WEB-CLIENT Portable Executable binary file transfer to
>> client
>>     >     16425   WEB-CLIENT Portable Executable binary file transfer to
>> server
>>     >
>>     >     or some such?
>>     >
>>     >     thanks!
>>
>


-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100928/5cfef587/attachment.html>


More information about the Snort-users mailing list