From: waldo kitty (wkitty42windstream.net)
Date: Sat May 04 2013 - 13:44:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/4/2013 07:46, tarik shalo wrote:
> Hello,
>
> I wrote the following rule to test if Snort fires when any executable files are
> downloaded. However, the rule is not firing for some reason. Any help or other
> option to accomplish the same goal, pls?
>
> alert any any -> any any (msg: ".exe found"; flow:to_server,established;
> content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; )

FWIW: this rule will not detect .exe files only... what it detects is the
content of ".exe" in any traffic being *sent to a server*...

this post should fire this rule if snort is looking at your mail server's
connection when this message arrives... in fact, every message in this thread
should have fired your rule when they hit your smtp server if snort is in the
right place to see it...

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]