[Snort-users] Signature 17210

K Vijaya Sai Prasanth sai.prashanth at ...15887...
Fri Oct 26 06:31:12 EDT 2012

Hello snort users,

Can anyone explain when this rule is triggered and how any false positives can be mitigated? I see that this is the rule definition. Can someone please interpret this?

alert tcp any [139,445] -> $HOME_NET any (msg:"POLICY Portable Executable binary file transfer over SMB"; flow:to_client,established;content:"|FF|SMB";depth:4;offset:4;byte_jump:1,28,relative,multiplier 2;content:"MZ|90 00|";within:4;distance:2;byte_jump:4,56,relative,little;content:"PE|00 00|";within:4;distance:-64; classtype:policy-violation; sid:17210; rev:1;)

SID 17210

< Back<http://www.snort.org/search/>


FILE-EXECUTABLE Portable Executable binary file transfer over SMB





Also, This is the snort build that I use. How do I update my rules database and settings? Please advice.

[root at ...363... rules]# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6 (Build 38)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006

K Vijaya Sai Prasanth
Information Security Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121026/1a0ce400/attachment.html>

More information about the Snort-users mailing list