Snort mailing list archives
Re: Snort rule to detect Windows PE Executable Downloads
From: "Jeffrey Denton" <dentonj () gmail com>
Date: Thu, 12 Jul 2007 19:10:06 +0200
On 7/12/07, Humes, David G. <David.Humes () jhuapl edu> wrote:
I would like to have a Snort rule to reliably detect the download of a Windows PE executable file.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; classtype: misc-activity; sid: 2000419; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:6; ) If you are running the Bleedingthreats rules, this signatures are commented out by default. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Paul Melson (Jul 12)
- Re: Snort rule to detect Windows PE ExecutableDownloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Humes, David G. (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Will Metcalf (Jul 13)
- Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads Matt Jonkman (Jul 12)
- Re: Snort rule to detect Windows PE Executable Downloads Jeffrey Denton (Jul 12)