Snort mailing list archives
Re: msg update for these, please?
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 28 Sep 2010 14:38:38 -0400
On Tue, Sep 28, 2010 at 2:13 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 9/28/2010 14:00, Alex Kirk wrote:Actually, they both look for PE files headed towards a client - the firstlooksfor the PE signature itself coming down, the second for a request for a.exe. hey, alex, thanks... i was looking at the flow:to_client and flow:to_server aspect of them ;) dn? 15306 $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client up? 16425 $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server
Not sure what you're asking here. Yes, SID 15306 is for data traveling "down" to the client, 16425 looks at a packet coming "up" from the client - which will then trigger data coming back "down" from the server that you may not want.
Duplicate messages are generally no fun, though, so how about making thesecondone "WEB-CLIENT Portable Executable binary file transfer - .exe in URI"?that might work but see above... ;)On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: can we get a MSG update for these, please?? OLD: 15306 WEB-CLIENT Portable Executable binary file transfer 16425 WEB-CLIENT Portable Executable binary file transfer NEW: 15306 WEB-CLIENT Portable Executable binary file transfer to client 16425 WEB-CLIENT Portable Executable binary file transfer to server or some such? thanks!------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? Jefferson, Shawn (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)