[Snort-users] Rules to Alert on Same System(Word Doc)
cr8syoki at gmail.com
Thu Sep 20 10:12:08 EDT 2018
I was able to successfully install Snort on Windows 10 and am able to
receive alerts with the current rules I have enabled for other tests. I
am collecting on the same machine Snort is installed on, and I am using
the "-k none" switch when I start Snort.
I am conducting research in my lab to see how Snort responds to these
types of files and at the same time learn to write effective rules.
I have created a malicious (for test) Word doc that uses DDE to open a
Chrome browser and open up google.com. There are numerous rules for
Office files, but most are geared towards traffic over mail
client/server ports and no matter how I tweak my rules, I am not able to
get an alert when I run the document.
Since the traffic is originating from the same system, should the rules
"alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field
exploit"; flow:to_server,established; file_data;....?"
Any help on if this can be done, or what the payload or rule is missing
would be greatly appreciated.
More information about the Snort-users