Re: [Snort-sigs] [Snort-users] Snort rule to detect Windows PE Executable Downloads

Removing the depth:2 option seems to have no visible effect.  The rule
continues to fire on the examples where it worked previously, and fails
on the same ones where it didn't work before.  

> -----Original Message-----
> From: snort-users-bounces@lists.sourceforge.net 
> [mailto:snort-users-bounces@lists.sourceforge.net] On Behalf 
> Of Matt Jonkman
> Sent: Thursday, July 12, 2007 11:32 PM
> To: Humes, David G.
> Cc: snort-sigs@lists.sourceforge.net; 
> snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] [Snort-sigs] Snort rule to detect 
> Windows PE Executable Downloads
>
>
>
>
> Humes, David G. wrote:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PE Executable 
> > Download"; content:"MZ"; depth:2; 
> > byte_jump:4,60,little,from_beginning;
> > content:"PE|00 00|"; within:4; flow:established,from_server;
> > sid:8000143; classtype:bad-unknown; rev:1;)
> >
> > It works this executable, http://www.cygwin.com/setup.exe, but not 
> > using this,  
> http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe.  
> > Why? Could anyone try it on their sensors and let me know if it 
> > behaves any differently.  Or if anyone has any suggestions 
> on how to 
> > do this that does not involve matching the "!This program cannot be 
> > run in DOS mode." string, that would be appreciated.  Sorry Matt, I 
> > just don't think you can depend on that string any more.
>
> I think you're right.
>
> The issue with the above is you're assuming the exe is 
> starting at the beginning of the packet/stream, which it'll 
> not likely be. Drop the depth and try it that way. little 
> higher load, but should be more reliable.
>
> If that does the trick then we can put the appropriate 
> versions into the bleeding ruleset, and adjust the existing 
> to not look for the dos string.
>
> Matt
>
> > I will take a look at the PEHunter plugin that Jamie 
> suggests.  But, I 
> > think the rule, or something very similar, should work in all cases.
> >
> > Thanks.
> >
> > --Dave
> ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> -- 
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> 765-429-0398
> http://www.bleedingthreats.net
> --------------------------------------------
>
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>
>
>
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and 
> take control of your XML. No limits. Just data. Click to get 
> it now. http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs