[Snort-users] Rules to Alert on Same System(Word Doc)

Carter Waxman (cwaxman) cwaxman at cisco.com
Thu Sep 20 10:48:10 EDT 2018


If client, server, and sensor are the same machine (assuming you are catching the file in flight not the payload-generated traffic), you want $HOME_NET any -> $HOME_NET 80. Additionally, the port direction and flow:to_server,established will only alert on upload, so check that it’s what you want.

- Carter

On 9/20/18, 10:18 AM, "Snort-users on behalf of Mike via Snort-users" <snort-users-bounces at lists.snort.org on behalf of snort-users at lists.snort.org> wrote:

    I was able to successfully install Snort on Windows 10 and am able to 
    receive alerts with the current rules I have enabled for other tests.  I 
    am collecting on the same machine Snort is installed on, and I am using 
    the "-k none" switch when I start Snort.
    
    I am conducting research in my lab to see how Snort responds to these 
    types of files and at the same time learn to write effective rules.
    
    I have created a malicious (for test) Word doc that uses DDE to open a 
    Chrome browser and open up google.com.  There are numerous rules for 
    Office files, but most are geared towards traffic over mail 
    client/server ports and no matter how I tweak my rules, I am not able to 
    get an alert when I run the document.
    
    Since the traffic is originating from the same system, should the rules 
    start:
    
    "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field 
    exploit"; flow:to_server,established; file_data;....?"
    
    Any help on if this can be done, or what the payload or rule is missing 
    would be greatly appreciated.
    
    
    R/S
    
    Mike
    
    _______________________________________________
    Snort-users mailing list
    Snort-users at lists.snort.org
    Go to this URL to change user options or unsubscribe:
    https://lists.snort.org/mailman/listinfo/snort-users
    
    	To unsubscribe, send an email to:
    	snort-users-leave at lists.snort.org
    
    Please visit http://blog.snort.org to stay current on all the latest Snort news!
    
    Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
    



More information about the Snort-users mailing list