|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: tarik shalo (tarikshalo
gmail.com)
Date: Sat May 04 2013 - 15:34:16 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I had to collect and put your responses from the mailing list into
this email, because I didn't get the reply messages in my email.
Anyway, What I was trying to accomplish was to write a rule that fires
when executable files are downloaded from any web server. For that, I
put .exe file in a web server and requested that file via httpfrom the
machine that runs Snort. After removing the
"flow:to_server,established" from the rule, the rule fired but from
your responses, I think I was not doing it the right way. Could you
suggest me a better way? Also, in which rule files are the emerging
threat rules 2000419 and 2015744?
-Thanks all guys
This is the response from waldo kitty.
FWIW: this rule will not detect .exe files only... what it detects is the
content of ".exe" in any traffic being *sent to a server*...
this post should fire this rule if snort is looking at your mail server's
connection when this message arrives... in fact, every message in this thread
should have fired your rule when they hit your smtp server if snort is in the
right place to see it...
The VRT ruleset contains rules looking for PE files also...
Sent from the iRoad
On May 4, 2013, at 7:18, James Lay <digitalx00gmail.com> wrote:
> Ho are you trying to test? Also check out Emerging Threat rules 2000419 and \
> 2015744 for more info on rules that hit on exe.
> James
>
> On May 4, 2013, at 5:46 AM, tarik shalo <tarikshalogmail.com> wrote:
>
> > Hello,
> >
> > I wrote the following rule to test if Snort fires when any executable files are \
> > downloaded. However, the rule is not firing for some reason. Any help or other \
> > option to accomplish the same goal, pls?
> > alert any any -> any any (msg: ".exe found"; flow:to_server,established; \
> > content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; )
> > -Shalo
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]