Network Security: Detailed info on Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executabl

Subject:	Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads
Date:	Fri, 13 Jul 2007 08:27:10 -0500

You will have to change your byte_jump as well, try making it relative to
your MZ match...

Regards,

Will

On 7/13/07, Humes, David G. <David.Humes@jhuapl.edu> wrote:


Removing the depth:2 option seems to have no visible effect.  The rule
continues to fire on the examples where it worked previously, and fails
on the same ones where it didn't work before.

> -----Original Message-----
> From: snort-users-bounces@lists.sourceforge.net
> [mailto:snort-users-bounces@lists.sourceforge.net] On Behalf
> Of Matt Jonkman
> Sent: Thursday, July 12, 2007 11:32 PM
> To: Humes, David G.
> Cc: snort-sigs@lists.sourceforge.net;
> snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect
> Windows PE Executable Downloads
>
>
>
>
> Humes, David G. wrote:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable
> > Download"; content:"MZ"; depth:2;
> > byte_jump:4,60,little,from_beginning;
> > content:"PE|00 00|"; within:4; flow:established,from_server;
> > sid:8000143; classtype:bad-unknown; rev:1;)
> >
> > It works this executable, http://www.cygwin.com/setup.exe, but not
> > using this,
> http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.
> > Why? Could anyone try it on their sensors and let me know if it
> > behaves any differently.  Or if anyone has any suggestions
> on how to
> > do this that does not involve matching the "!This program cannot be
> > run in DOS mode." string, that would be appreciated.  Sorry Matt, I
> > just don't think you can depend on that string any more.
>
> I think you're right.
>
> The issue with the above is you're assuming the exe is
> starting at the beginning of the packet/stream, which it'll
> not likely be. Drop the depth and try it that way. little
> higher load, but should be more reliable.
>
> If that does the trick then we can put the appropriate
> versions into the bleeding ruleset, and adjust the existing
> to not look for the dos string.
>
> Matt
>
> >
> > I will take a look at the PEHunter plugin that Jamie
> suggests.  But, I
> > think the rule, or something very similar, should work in all cases.
> >
> > Thanks.
> >
> > --Dave
> >
> >
> >
> ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> 765-429-0398
> http://www.bleedingthreats.net
> --------------------------------------------
>
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>
>
>
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and
> take control of your XML. No limits. Just data. Click to get
> it now. http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Snort rule to detect Windows PE Executable Downloads, Humes, David G. Re: [Snort-sigs] Snort rule to detect Windows PE Executable Downloads, Jamie Riden Re: [Snort-users] Snort rule to detect Windows PE Executable Downloads, Humes, David G. Re: [Snort-users] [Snort-sigs] Snort rule to detect Windows PE Executable Downloads, Matt Jonkman Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Humes, David G. Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Will Metcalf <= Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Matthew Watchinski

Previous by Date:	Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Humes, David G.
Next by Date:	Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Matthew Watchinski
Previous by Thread:	Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Humes, David G.
Next by Thread:	Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads, Matthew Watchinski
Indexes:	[Date] [Thread] [Top] [All Lists]