Snort mailing list archives
Re: Hello
From: vishesh kumar <linuxtovishesh () gmail com>
Date: Fri, 2 Apr 2010 20:08:35 +0530
Thanks matt I will try and let you inform. Thanks On Fri, Apr 2, 2010 at 5:57 PM, Matt Olney <molney () sourcefire com> wrote:
You can look for the client request: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL .exe download request"; flow: to_server, established; content:".exe"; http_uri; nocase; pcre:"/\.exe(\?|$)/Ui"; classtype: attempted-admin; sid: 8;) You can look for server response: 2.8.5 Compliant: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file detct"; content:"MZ"; byte_jump: 4, 58, relative, little, post_offset -64; content:"PE"; distance: 0; within: 2; classtype: attempted-admin; sid: 6;) 2.8.6 Compliant: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PE file detct"; file_data; content:"MZ"; depth: 2; byte_jump: 4, 58, relative, little, post_offset -64; content:"PE"; distance: 0; within: 2; classtype: attempted-admin; sid: 7;) Matt On Fri, Apr 2, 2010 at 4:16 AM, vishesh kumar <linuxtovishesh () gmail com>wrote:I want to create rule that alert me when any exe downloaded using http from internet Thanks On 4/1/10, Mike Lococo <mikelococo () gmail com> wrote:My query is i want to monitor exe downloads in my network, how can i achieve that ?The Emerging Threats project has sigs to monitor for win32 executable downloads. See the following post/thread:http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-August/003438.htmlYou should also really consider using a more descriptive subject line in the future: http://www.catb.org/~esr/faqs/smart-questions.html Cheers, Mike Lococo------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Sent from my mobile device http://linuxinterviews.blogspot.com ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://linuxinterviews.blogspot.com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users