Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule to detect Windows PE Executable Downloads

From: "Jeffrey Denton" <dentonj () gmail com>
Date: Thu, 12 Jul 2007 19:10:06 +0200
On 7/12/07, Humes, David G. <David.Humes () jhuapl edu> wrote:

I would like to have a Snort rule to reliably detect the download of a
Windows PE executable file.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE or DLL Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program cannot be run in DOS
mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0;
classtype: misc-activity; sid: 2000419; rev:6; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE
EXE Install Windows file download"; flow: established; content:"MZ";
isdataat: 76,relative; content:"This program must be run under Win32";
distance: 0; isdataat: 140,relative; content:"PE"; distance: 0;
reference:url,www.program-transformation.org/Transform/PcExeFormat;
classtype: misc-activity; sid: 2000427; rev:6; )


If you are running the Bleedingthreats rules, this signatures are
commented out by default.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: