|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Shields, Joseph (NIH/NIEHS) [C] (joseph.shields
nih.gov)
Date: Mon May 06 2013 - 13:06:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've been able to find the 2000419 rule within the emerging threats rule file, however, I have not been able to find the 2015744 rule. I have spent some time searching and after no success thought I'd ask for some assistance. This is the link I used:
http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
Thanks for the help.
Brian
From: Caleb Jaren [mailto:tropism.prophetgmail.com]
Sent: Sunday, May 05, 2013 1:52 AM
To: waldo kitty
Cc: snort-userslists.sourceforge.net
Subject: Re: [Snort-users] .exe
Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files.
On May 4, 2013 7:30 PM, "waldo kitty" <wkitty42windstream.net<mailto:wkitty42windstream.net>> wrote:
>
> On 5/4/2013 16:34, tarik shalo wrote:
> > Hi,
> >
> > I had to collect and put your responses from the mailing list into this
> > email, because I didn't get the reply messages in my email.
>
> i don't know how others do it but i only reply to the list unless special
> circumstances are in play... you should be getting all messages from the list...
> if you aren't, you might want to check our spam bucket ;)
>
> > Anyway, What I was trying to accomplish was to write a rule that fires when
> > executable files are downloaded from any web server. For that, I put .exe
> > file in a web server and requested that file via httpfrom the machine that
> > runs Snort. After removing the"flow:to_server,established" from the rule,
> > the rule fired but from your responses, I think I was not doing it the right
> > way. Could you suggest me a better way?
>
> well, the thing is that detecting the extension is not going to be complete...
> you need to detect the binary signature(s)... some DOS/Winwhatever EXEs start
> with MZ while most of todays stuff starts with PE but there's a bit more to it
> than just that...
>
> additionally, it is not just a "content" detection anywhere like in headers
> which your rule would catch... VRT has numerous rules which work for detecting
> items like this... in particular, the file-executable.rules which set flowbits
> (without an alert) indicating that such a file was detected and then other rules
> are used to detect if the flowbit is set as well as looking at other aspects of
> the data to determine if an alert should be fired for policy violations or
> malware or such...
>
> so basically, you cannot detect an EXE file simply by looking for ".exe" in the
> traffic... you have to detect the signature of an executable binary... that
> means looking inside binary files to see what is uniform to be used for detection...
>
> > Also, in which rule files are the emerging threat rules 2000419 and 2015744?
>
> those are in the Emerging Threats rules set... it is distributed by Emerging
> Threats and completely separate from the VRT rules...
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net<mailto:Snort-userslists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]