You'll also need to change around your snort config if your dealing
mostly with HTTP downloading of .exe files.
You'll need to turn on stream reassembly for server response traffic and
expand the http_inspect flow_depth parameter.
Additionally, if you want to inspect ftp traffic for PE file transfers,
and your running the ftp_telnet preprocessor you'll need to remove
data_chan from the config so you can inspect ftp traffic.
Also if your interested in .exe files in smtp attachments you'll need to
write some MIME encoded representations of the PE heaer, and make sure
the smtp preprocessor config doesn't contain "ignore_data".
You might also want to check out /usr/share/file/magic as this is the
data set used by the "file" command to identify files. Its helpful in
identifying important pieces of files that are unique bits to match on.
Finally you could always try out sid:11192 rev:1 - "POLICY download of
executable content"
Cheers,
-matt
Will Metcalf wrote:
You will have to change your byte_jump as well, try making it relative to
your MZ match...
Regards,
Will
On 7/13/07, Humes, David G. <David.Humes@jhuapl.edu> wrote:
Removing the depth:2 option seems to have no visible effect. The rule
continues to fire on the examples where it worked previously, and fails
on the same ones where it didn't work before.
-----Original Message-----
From: snort-users-bounces@lists.sourceforge.net
[mailto:snort-users-bounces@lists.sourceforge.net] On Behalf
Of Matt Jonkman
Sent: Thursday, July 12, 2007 11:32 PM
To: Humes, David G.
Cc: snort-sigs@lists.sourceforge.net;
snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect
Windows PE Executable Downloads
Humes, David G. wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable
Download"; content:"MZ"; depth:2;
byte_jump:4,60,little,from_beginning;
content:"PE|00 00|"; within:4; flow:established,from_server;
sid:8000143; classtype:bad-unknown; rev:1;)
It works this executable, http://www.cygwin.com/setup.exe, but not
using this,
http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.
Why? Could anyone try it on their sensors and let me know if it
behaves any differently. Or if anyone has any suggestions
on how to
do this that does not involve matching the "!This program cannot be
run in DOS mode." string, that would be appreciated. Sorry Matt, I
just don't think you can depend on that string any more.
I think you're right.
The issue with the above is you're assuming the exe is
starting at the beginning of the packet/stream, which it'll
not likely be. Drop the depth and try it that way. little
higher load, but should be more reliable.
If that does the trick then we can put the appropriate
versions into the bleeding ruleset, and adjust the existing
to not look for the dos string.
Matt
I will take a look at the PEHunter plugin that Jamie
suggests. But, I
think the rule, or something very similar, should work in all cases.
Thanks.
--Dave
----------------------------------------------------------------------
---
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
--------------------------------------------------------------
-----------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take control of your XML. No limits. Just data. Click to get
it now. http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
