Re: msg update for these, please?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Would this rule trigger for a 16-bit DOS MZ executable being requested as well?  The PE in the alert description could 
be misleading maybe.  It looks like the rule only looks for ".exe" in the http_uri, and doesn't generate any alert by 
itself (just sets a flowbit that is checked by other rules).

Actually it looks like 15306 checks for both MZ and PE executables anyway... not that big of a deal I guess, everyone 
knows what it means when you see this alert.

________________________________
From: Alex Kirk [mailto:akirk () sourcefire com]
Sent: Tuesday, September 28, 2010 12:55 PM
To: Jefferson, Shawn
Cc: wkitty42 () windstream net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] msg update for these, please?

Well-put, Shawn. I just updated 16425 (for the next SEU, anyway) to read "WEB-CLIENT request for Portable Executable 
binary file", that should do the trick.
On Tue, Sep 28, 2010 at 3:45 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
Maybe something along the lines of:

WEB-CLIENT Request for exe file

and

WEB-CLIENT Portable Executable binary file transfer

which would explain what's happening a little better, and avoid potential confusion hopefully.

________________________________
From: Alex Kirk [mailto:akirk () sourcefire com<mailto:akirk () sourcefire com>]
Sent: Tuesday, September 28, 2010 11:00 AM
To: wkitty42 () windstream net<mailto:wkitty42 () windstream net>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] msg update for these, please?

Actually, they both look for PE files headed towards a client - the first looks for the PE signature itself coming 
down, the second for a request for a .exe.

Duplicate messages are generally no fun, though, so how about making the second one "WEB-CLIENT Portable Executable 
binary file transfer - .exe in URI"?
On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:

can we get a MSG update for these, please??

OLD:
15306   WEB-CLIENT Portable Executable binary file transfer
16425   WEB-CLIENT Portable Executable binary file transfer

NEW:
15306   WEB-CLIENT Portable Executable binary file transfer to client
16425   WEB-CLIENT Portable Executable binary file transfer to server

or some such?

thanks!


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com<mailto:alex.kirk () sourcefire com>



--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com<mailto:alex.kirk () sourcefire com>

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users