Snort mailing list archives
Snort rule to detect Windows PE Executable Downloads
From: "Humes, David G." <David.Humes () jhuapl edu>
Date: Thu, 12 Jul 2007 11:50:15 -0400
I would like to have a Snort rule to reliably detect the download of a Windows PE executable file. A rule to detect the MZ magic bytes is simple but prone to false positives. An improved rule matches both the MZ magic bytes and the PE header, but this too can have false positives. A superior rule first matches the MZ magic bytes and then locates the PE header using the pointer to the beginning of the PE header that's found at offset 0x3c in the DOS header. This seems like the perfet application for the byte_jump option. I came up with this rule after lots of experimenting, which seems to work in many cases, but it does not fire in certain cases for reasons that I do not understand. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable Download"; content:"MZ"; depth:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; flow:established,from_server; sid:8000143; classtype:bad-unknown; rev:1;) I'm really not certain why this rule works at all. What finally got it working was to add the from_beginning option to the byte_jump rule option. But, it seems to me that the beginning of the payload is the HTTP headers, "HTTP/1.1 200 OK...", not "MZ". Why does Snort think the beginning of the payload is "MZ"? Similarly, the depth option tells Snort to only look 2 bytes into the payload for the "MZ" match. But, "MZ" is not at the beginning of the packet. So again, what makes Snort think the beginning of the payload is "MZ" - perhaps some preprocessor like http_inspect? I tested this using Snort Version 2.4.3 (Build 26), with some Windows executables that I hosted on an external Apache/Linux HTTP server, and also using wget to download some Windows executables from the web. If I download putty.exe from http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe using wget, the rule does not fire. It also fails using a browser, so wget is not the issue. Here's an abreviated hex dump. 00000000 47 45 54 20 2f 25 37 45 73 67 74 61 74 68 61 6d GET /%7E sgtatham 00000010 2f 70 75 74 74 79 2f 30 2e 36 30 2f 78 38 36 2f /putty/0 .60/x86/ 00000020 70 75 74 74 79 2e 65 78 65 20 48 54 54 50 2f 31 putty.ex e HTTP/1 00000030 2e 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 .0..User -Agent: 00000040 57 67 65 74 2f 31 2e 39 2b 63 76 73 2d 73 74 61 Wget/1.9 +cvs-sta 00000050 62 6c 65 20 28 52 65 64 20 48 61 74 20 6d 6f 64 ble (Red Hat mod 00000060 69 66 69 65 64 29 0d 0a 48 6f 73 74 3a 20 74 68 ified).. Host: th 00000070 65 2e 65 61 72 74 68 2e 6c 69 0d 0a 41 63 63 65 e.earth. li..Acce 00000080 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e 65 63 74 pt: */*. .Connect 00000090 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d ion: Kee p-Alive. 000000A0 0a 0d 0a ... 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 00000010 0a 44 61 74 65 3a 20 57 65 64 2c 20 31 31 20 4a .Date: W ed, 11 J 00000020 75 6c 20 32 30 30 37 20 31 33 3a 35 38 3a 31 31 ul 2007 13:58:11 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Se rver: Ap 00000040 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 ache/2.2 .3 (Debi 00000050 61 6e 29 20 6d 6f 64 5f 73 73 6c 2f 32 2e 32 2e an) mod_ ssl/2.2. 00000060 33 20 4f 70 65 6e 53 53 4c 2f 30 2e 39 2e 38 63 3 OpenSS L/0.9.8c 00000070 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a ..Last-M odified: 00000080 20 53 75 6e 2c 20 32 39 20 41 70 72 20 32 30 30 Sun, 29 Apr 200 00000090 37 20 31 33 3a 30 32 3a 33 37 20 47 4d 54 0d 0a 7 13:02: 37 GMT.. 000000A0 45 54 61 67 3a 20 22 37 32 35 63 39 31 35 2d 36 ETag: "7 25c915-6 000000B0 66 30 30 30 2d 66 62 39 32 66 35 34 30 22 0d 0a f000-fb9 2f540".. 000000C0 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 Accept-R anges: b 000000D0 79 74 65 73 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 ytes..Co ntent-Le 000000E0 6e 67 74 68 3a 20 34 35 34 36 35 36 0d 0a 4b 65 ngth: 45 4656..Ke 000000F0 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 ep-Alive : timeou 00000100 74 3d 31 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 t=15, ma x=100..C 00000110 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d onnectio n: Keep- 00000120 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 Alive..C ontent-T 00000130 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e ype: app lication 00000140 2f 78 2d 6d 73 64 6f 73 2d 70 72 6f 67 72 61 6d /x-msdos -program 00000150 0d 0a 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ....MZ.. ........ 00000160 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ........ ....@... 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000190 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c ........ ....!..L 000001A0 cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 .!This p rogram c 000001B0 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 annot be run in 000001C0 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 DOS mode ....$... 000001D0 00 00 00 00 ad 8a 42 12 e9 eb 2c 41 e9 eb 2c 41 ......B. ..,A..,A 000001E0 e9 eb 2c 41 fa e3 45 41 eb eb 2c 41 ec e7 4c 41 ..,A..EA ..,A..LA 000001F0 eb eb 2c 41 ec e7 23 41 f2 eb 2c 41 fa e3 71 41 ..,A..#A ..,A..qA 00000200 eb eb 2c 41 13 c8 35 41 ed eb 2c 41 6a e3 71 41 ..,A..5A ..,Aj.qA 00000210 e6 eb 2c 41 e9 eb 2d 41 f6 ea 2c 41 ec e7 73 41 ..,A..-A ..,A..sA 00000220 51 eb 2c 41 05 e0 72 41 e8 eb 2c 41 ec e7 76 41 Q.,A..rA ..,A..vA 00000230 e8 eb 2c 41 52 69 63 68 e9 eb 2c 41 00 00 00 00 ..,ARich ..,A.... 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000250 00 00 00 00 50 45 00 00 4c 01 04 00 d0 84 34 46 ....PE.. L.....4F ...stuff deleted... However, if I take that same putty.exe file, and download it from the Apache/Linux server where I hosted it, the rule does fire. 00000000 47 45 54 20 2f 70 75 74 74 79 2e 65 78 65 20 48 GET /put ty.exe H 00000010 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 36 TTP/1.1. .Host: 6 00000020 38 2e 33 33 2e 31 32 35 2e 31 38 39 0d 0a 55 73 8.33.125 .189..Us 00000030 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c er-Agent : Mozill 00000040 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 a/5.0 (W indows; 00000050 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e U; Windo ws NT 5. 00000060 31 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 31 2e 38 1; en-US ; rv:1.8 00000070 2e 31 2e 34 29 20 47 65 63 6b 6f 2f 32 30 30 37 .1.4) Ge cko/2007 00000080 30 35 31 35 20 46 69 72 65 66 6f 78 2f 32 2e 30 0515 Fir efox/2.0 00000090 2e 30 2e 34 0d 0a 41 63 63 65 70 74 3a 20 74 65 .0.4..Ac cept: te 000000A0 78 74 2f 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 xt/xml,a pplicati 000000B0 6f 6e 2f 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 on/xml,a pplicati 000000C0 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 74 65 78 on/xhtml +xml,tex 000000D0 74 2f 68 74 6d 6c 3b 71 3d 30 2e 39 2c 74 65 78 t/html;q =0.9,tex 000000E0 74 2f 70 6c 61 69 6e 3b 71 3d 30 2e 38 2c 69 6d t/plain; q=0.8,im 000000F0 61 67 65 2f 70 6e 67 2c 2a 2f 2a 3b 71 3d 30 2e age/png, */*;q=0. 00000100 35 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 5..Accep t-Langua 00000110 67 65 3a 20 65 6e 2d 75 73 2c 65 6e 3b 71 3d 30 ge: en-u s,en;q=0 00000120 2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 .5..Acce pt-Encod 00000130 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 6c 61 74 ing: gzi p,deflat 00000140 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 72 73 65 e..Accep t-Charse 00000150 74 3a 20 49 53 4f 2d 38 38 35 39 2d 31 2c 75 74 t: ISO-8 859-1,ut 00000160 66 2d 38 3b 71 3d 30 2e 37 2c 2a 3b 71 3d 30 2e f-8;q=0. 7,*;q=0. 00000170 37 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 33 7..Keep- Alive: 3 00000180 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 00..Conn ection: 00000190 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 52 65 66 65 keep-ali ve..Refe 000001A0 72 65 72 3a 20 68 74 74 70 3a 2f 2f 36 38 2e 33 rer: htt p://68.3 000001B0 33 2e 31 32 35 2e 31 38 39 2f 44 61 76 65 48 5f 3.125.18 9/DaveH_ 000001C0 69 6e 64 65 78 2e 68 74 6d 6c 0d 0a 0d 0a index.ht ml.... 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 00000010 0a 44 61 74 65 3a 20 57 65 64 2c 20 31 31 20 4a .Date: W ed, 11 J 00000020 75 6c 20 32 30 30 37 20 31 33 3a 35 39 3a 34 36 ul 2007 13:59:46 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Se rver: Ap 00000040 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..La st-Modif 00000050 69 65 64 3a 20 53 75 6e 2c 20 32 39 20 41 70 72 ied: Sun , 29 Apr 00000060 20 32 30 30 37 20 31 33 3a 30 32 3a 33 37 20 47 2007 13 :02:37 G 00000070 4d 54 0d 0a 45 54 61 67 3a 20 22 39 62 63 32 63 MT..ETag : "9bc2c 00000080 38 2d 36 66 30 30 30 2d 66 62 39 32 66 35 34 30 8-6f000- fb92f540 00000090 22 0d 0a 41 63 63 65 70 74 2d 52 61 6e 67 65 73 "..Accep t-Ranges 000000A0 3a 20 62 79 74 65 73 0d 0a 43 6f 6e 74 65 6e 74 : bytes. .Content 000000B0 2d 4c 65 6e 67 74 68 3a 20 34 35 34 36 35 36 0d -Length: 454656. 000000C0 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f .Connect ion: clo 000000D0 73 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 se..Cont ent-Type 000000E0 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 : applic ation/oc 000000F0 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a tet-stre am.... 000000FE 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ...... ........ 0000010E b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........ @....... 0000011E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0000012E 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ........ ........ 0000013E 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........ !..L.!Th 0000014E 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is progr am canno 0000015E 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS 0000016E 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode.... $....... 0000017E ad 8a 42 12 e9 eb 2c 41 e9 eb 2c 41 e9 eb 2c 41 ..B...,A ..,A..,A 0000018E fa e3 45 41 eb eb 2c 41 ec e7 4c 41 eb eb 2c 41 ..EA..,A ..LA..,A 0000019E ec e7 23 41 f2 eb 2c 41 fa e3 71 41 eb eb 2c 41 ..#A..,A ..qA..,A 000001AE 13 c8 35 41 ed eb 2c 41 6a e3 71 41 e6 eb 2c 41 ..5A..,A j.qA..,A 000001BE e9 eb 2d 41 f6 ea 2c 41 ec e7 73 41 51 eb 2c 41 ..-A..,A ..sAQ.,A 000001CE 05 e0 72 41 e8 eb 2c 41 ec e7 76 41 e8 eb 2c 41 ..rA..,A ..vA..,A 000001DE 52 69 63 68 e9 eb 2c 41 00 00 00 00 00 00 00 00 Rich..,A ........ 000001EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000001FE 50 45 00 00 4c 01 04 00 d0 84 34 46 00 00 00 00 PE..L... ..4F.... ...stuff deleted... The HTTP headers are a little different in the two cases, but it is not obvious to me that it should make any differnce. In both cases you can do the indirection arithmetic and see that the PE header is located where it should be. I thought maybe the Content-Type header could have something to do with it, so on the server where I was hosting putty.exe, I added the application/x-msdos-program mime type so the server would send the same header as http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe. If the Content-Type header was involved somehow, I would expect my rule to fail when I download putty.exe from my server. But, it continues to work just fine, and it seems to work well in many cases as we're getting lots of detections on the rule. I just don't see what's different about downloading from http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe. Hopefully someone can explain this and perhaps offer a more reliable rule. Here's the simple little web page that I used for hosting the executables. <HTML> <HEAD> <TITLE> Test Page </TITLE> </HEAD> <BODY> Click <a href="/notepad.exe" > here </a> to download notepad.exe <BR> <BR> Click <a href="/putty.exe" > here </a> to download putty.exe </BODY> </HTML> ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Paul Melson (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Will Metcalf (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)