Snort mailing list archives
Re: .exe
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 6 May 2013 16:42:24 -0400
Try adding -k none to your snort startup line. On May 6, 2013, at 4:27 PM, tarik shalo <tarikshalo () gmail com> wrote:
Hi, Yes, it alerts on ICMP traffic at least. Thanks -Shalo On Mon, May 6, 2013 at 11:01 PM, Joel Esler <jesler () sourcefire com> wrote: Sounds like a configuration problem then. Verify that you can alert on the simplest traffic first. Try adding -k none to your snort startup line. On May 6, 2013, at 3:52 PM, tarik shalo <tarikshalo () gmail com> wrote:Hi, I found the rule (15306) in "file-identify.rules" and removed the "flowbits:set, file.exe" from the rule so as to match ur rule suggestion (the following). Then I tried to download "winscp514setup.exe" from a remote http server on the machine where Snort was running. But the rule doesn't fire still :( -Shalo On Mon, May 6, 2013 at 9:22 PM, Joel Esler <jesler () sourcefire com> wrote: Try this rule: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:service http, service imap, service pop3; classtype:policy-violation; sid:15306; rev:17;) On May 6, 2013, at 7:59 AM, tarik shalo <tarikshalo () gmail com> wrote:Hi, I edited the rule based on ur comment, "Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files." But the rule didn't fire. Are there some executables that i can use to test for which there are corresponding Snort rules that catch them? -Thanks again guys for the help and lessons that i am learning from your responses. Shalo ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: .exe, (continued)