Thank you for the reply. I actually am attempting to catch the payload generated traffic, if this possible. 

I am starting from the malicious doc already being on the client desktop, and then executing it from there which connects out to Google. 

I am thinking the below rule would be a good start to catch client initiated traffic to external. If this works, I just need to figure the rest of the rule which I would think the file-identify.rules would help. 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (flow:to_server,established;) 

On Thu, Sep 20, 2018, 23:48 Carter Waxman (cwaxman) <> wrote:
If client, server, and sensor are the same machine (assuming you are catching the file in flight not the payload-generated traffic), you want $HOME_NET any -> $HOME_NET 80. Additionally, the port direction and flow:to_server,established will only alert on upload, so check that it’s what you want.

- Carter

On 9/20/18, 10:18 AM, "Snort-users on behalf of Mike via Snort-users" < on behalf of> wrote:

    I was able to successfully install Snort on Windows 10 and am able to
    receive alerts with the current rules I have enabled for other tests.  I
    am collecting on the same machine Snort is installed on, and I am using
    the "-k none" switch when I start Snort.

    I am conducting research in my lab to see how Snort responds to these
    types of files and at the same time learn to write effective rules.

    I have created a malicious (for test) Word doc that uses DDE to open a
    Chrome browser and open up  There are numerous rules for
    Office files, but most are geared towards traffic over mail
    client/server ports and no matter how I tweak my rules, I am not able to
    get an alert when I run the document.

    Since the traffic is originating from the same system, should the rules

    "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Microsoft DDE field
    exploit"; flow:to_server,established; file_data;....?"

    Any help on if this can be done, or what the payload or rule is missing
    would be greatly appreciated.



    Snort-users mailing list
    Go to this URL to change user options or unsubscribe:

        To unsubscribe, send an email to:

    Please visit to stay current on all the latest Snort news!

    Please follow these rules: