[Snort-users] Rules to Alert on Same System(Word Doc)
cr8syoki at gmail.com
Thu Sep 20 17:25:42 EDT 2018
Thank you for the reply. I actually am attempting to catch the payload
generated traffic, if this possible.
I am starting from the malicious doc already being on the client desktop,
and then executing it from there which connects out to Google.
I am thinking the below rule would be a good start to catch client
initiated traffic to external. If this works, I just need to figure the
rest of the rule which I would think the file-identify.rules would help.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
On Thu, Sep 20, 2018, 23:48 Carter Waxman (cwaxman) <cwaxman at cisco.com>
> If client, server, and sensor are the same machine (assuming you are
> catching the file in flight not the payload-generated traffic), you want
> $HOME_NET any -> $HOME_NET 80. Additionally, the port direction and
> flow:to_server,established will only alert on upload, so check that it’s
> what you want.
> - Carter
> On 9/20/18, 10:18 AM, "Snort-users on behalf of Mike via Snort-users" <
> snort-users-bounces at lists.snort.org on behalf of
> snort-users at lists.snort.org> wrote:
> I was able to successfully install Snort on Windows 10 and am able to
> receive alerts with the current rules I have enabled for other tests.
> am collecting on the same machine Snort is installed on, and I am
> the "-k none" switch when I start Snort.
> I am conducting research in my lab to see how Snort responds to these
> types of files and at the same time learn to write effective rules.
> I have created a malicious (for test) Word doc that uses DDE to open a
> Chrome browser and open up google.com. There are numerous rules for
> Office files, but most are geared towards traffic over mail
> client/server ports and no matter how I tweak my rules, I am not able
> get an alert when I run the document.
> Since the traffic is originating from the same system, should the
> "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field
> exploit"; flow:to_server,established; file_data;....?"
> Any help on if this can be done, or what the payload or rule is
> would be greatly appreciated.
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> To unsubscribe, send an email to:
> snort-users-leave at lists.snort.org
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> Please follow these rules:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users