[Snort-users] msg update for these, please?
wkitty42 at ...14940...
Tue Sep 28 18:52:02 EDT 2010
On 9/28/2010 16:13, Jefferson, Shawn wrote:
> Would this rule trigger for a 16-bit DOS MZ executable being requested as well?
actually, yes, 16425 would fire... that and several others as well :?
> The PE in the alert description could be misleading maybe. It looks like the
> rule only looks for “.exe” in the http_uri, and doesn’t generate any alert by
> itself (just sets a flowbit that is checked by other rules).
you've hit the nail i was aiming at squarely on the head :P
> Actually it looks like 15306 checks for both MZ and PE executables anyway… not
> that big of a deal I guess, everyone knows what it means when you see this alert.
for 15306, yes... the other one doesn't alert, actually... it has
flowbits:noalert; in it and seems to only set a flowbit indicating that a ".exe"
string was detected in the HTTP request URI...
More information about the Snort-users