[Snort-users] msg update for these, please?

waldo kitty wkitty42 at ...14940...
Tue Sep 28 18:52:02 EDT 2010


On 9/28/2010 16:13, Jefferson, Shawn wrote:
> Would this rule trigger for a 16-bit DOS MZ executable being requested as well?

actually, yes, 16425 would fire... that and several others as well :?

>   The PE in the alert description could be misleading maybe. It looks like the
> rule only looks for “.exe” in the http_uri, and doesn’t generate any alert by
> itself (just sets a flowbit that is checked by other rules).

you've hit the nail i was aiming at squarely on the head :P

> Actually it looks like 15306 checks for both MZ and PE executables anyway… not
> that big of a deal I guess, everyone knows what it means when you see this alert.

for 15306, yes... the other one doesn't alert, actually... it has 
flowbits:noalert; in it and seems to only set a flowbit indicating that a ".exe" 
string was detected in the HTTP request URI...




More information about the Snort-users mailing list