Snort mailing list archives
Re: msg update for these, please?
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 28 Sep 2010 15:55:43 -0400
On 9/28/2010 15:19, Alex Kirk wrote:
16425 looks at a packet coming "up" from the client -yes, so the client is uploading a file... possibly a game or self-extracting binary to a file distribution channel like on the original BBS' where users uploaded and downloaded lottsa files all day long ;)No, it's not. It's sending a GET request to the server that has a URI which contains .exe. It's asking for a .exe file.
ahhh... my bad... i didn't/don't see a content:"GET "; depth:4; in there... i assume a GET is determined because it is http_uri? (yes, i realize that the content i just used up there is "old style" but it is extremely clear in its intent ;) ) how would that rule appear if it were an actual executable upload to the "server"? i assume that would be a POST...
which will then trigger data coming back "down" from the server that you may not want.hunh? where do you see that in 1:16425? it would be the job of /other/ rules to detect that, wouldn't it? ;)You don't see that in 16425. It's implied, though, from the fact that the client has requested a .exe file that it's probably going to get such a file returned to it. While 15306 will generally alert on the file being returned, we have SID 16425 because some people want to drop outbound requests that have .exe in the URI.
i can understand that... i missed, somehow, that this was a GET request... i hope your answers to the above can clarify that for me... that also means that my original post should have read like this... OLD: 15306 WEB-CLIENT Portable Executable binary file transfer 16425 WEB-CLIENT Portable Executable binary file transfer NEW: 15306 WEB-CLIENT Portable Executable binary file transfer 16425 WEB-CLIENT Executable binary file request OR: 15306 WEB-CLIENT Portable Executable binary file transfer to client 16425 WEB-CLIENT Executable binary file request to server this because .exe does not denote a PE .exe binary by default ;) i wonder what a GET /foo/my.exe.sourcecode.pas would do with that rule? :P maybe i need more c0ffee?
in any case, i really do think it best that the one to the client denotes that and the one to the server denotes that as well... no matter what else may happen after it gets where it is going :) i do try to adhere to the KISS principle and go with the most simple choice when i can instead of over-engineering things ;) :P > Duplicate messages are generally no fun, though, so how about making the second > one "WEB-CLIENT Portable Executable binary file transfer - .exe in URI"? that might work but see above... ;) > On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net> <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>> > <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net> <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>>>> wrote: > > > can we get a MSG update for these, please?? > > OLD: > 15306 WEB-CLIENT Portable Executable binary file transfer > 16425 WEB-CLIENT Portable Executable binary file transfer > > NEW: > 15306 WEB-CLIENT Portable Executable binary file transfer to client > 16425 WEB-CLIENT Portable Executable binary file transfer to server > > or some such? > > thanks!
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? Alex Kirk (Sep 28)
- Re: msg update for these, please? Jefferson, Shawn (Sep 28)
- Re: msg update for these, please? waldo kitty (Sep 28)