[Snort-users] .exe
tarik shalo
Ray Caparros
James Lay
James
On May 4, 2013, at 5:46 AM, tarik shalo <tarik...@gmail.com> wrote:
> Hello,
>
> I wrote the following rule to test if Snort fires when any executable files are downloaded. However, the rule is not firing for some reason. Any help or other option to accomplish the same goal, pls?
>
> alert any any -> any any (msg: ".exe found"; flow:to_server,established; content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; )
>
> -Shalo
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2_______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
JJ Cummings
Sent from the iRoad
waldo kitty
> Hello,
>
> I wrote the following rule to test if Snort fires when any executable files are
> downloaded. However, the rule is not firing for some reason. Any help or other
> option to accomplish the same goal, pls?
>
> alert any any -> any any (msg: ".exe found"; flow:to_server,established;
> content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; )
content of ".exe" in any traffic being *sent to a server*...
this post should fire this rule if snort is looking at your mail server's
connection when this message arrives... in fact, every message in this thread
should have fired your rule when they hit your smtp server if snort is in the
right place to see it...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
tarik shalo
Hi,
I had to collect and put your responses from the mailing list into this email, because I didn't get the reply messages in my email. Anyway, What I was trying to accomplish was to write a rule that fires when executable files are downloaded from any web server. For that, I put .exe file in a web server and requested that file via httpfrom the machine that runs Snort. After removing the "flow:to_server,established" from the rule, the rule fired but from your responses, I think I was not doing it the right way. Could you suggest me a better way? Also, in which rule files are the emerging threat rules 2000419 and 2015744?
-Thanks all guys
This is the response from waldo kitty. FWIW: this rule will not detect .exe files only... what it detects is the content of ".exe" in any traffic being *sent to a server*... this post should fire this rule if snort is looking at your mail server's connection when this message arrives... in fact, every message in this thread should have fired your rule when they hit your smtp server if snort is in the right place to see it...
The VRT ruleset contains rules looking for PE files also... Sent from the iRoad On May 4, 2013, at 7:18, James Lay <digit...@gmail.com
> wrote: > Ho are you trying to test? Also check out Emerging Threat rules 2000419 and \ > 2015744 for more info on rules that hit on exe. > James > > On May 4, 2013, at 5:46 AM, tarik shalo <tarik...@gmail.com> wrote: > > > Hello, > > > > I wrote the following rule to test if Snort fires when any executable files are \ > > downloaded. However, the rule is not firing for some reason. Any help or other \ > > option to accomplish the same goal, pls? > > alert any any -> any any (msg: ".exe found"; flow:to_server,established; \ > > content:".exe"; nocase;classtype:policy-violation;sid:10000056;rev:1; ) > > -Shalo
waldo kitty
> Hi,
>
> I had to collect and put your responses from the mailing list into this
> email, because I didn't get the reply messages in my email.
circumstances are in play... you should be getting all messages from the list...
if you aren't, you might want to check our spam bucket ;)
> Anyway, What I was trying to accomplish was to write a rule that fires when
> executable files are downloaded from any web server. For that, I put .exe
> file in a web server and requested that file via httpfrom the machine that
> runs Snort. After removing the"flow:to_server,established" from the rule,
> the rule fired but from your responses, I think I was not doing it the right
> way. Could you suggest me a better way?
you need to detect the binary signature(s)... some DOS/Winwhatever EXEs start
with MZ while most of todays stuff starts with PE but there's a bit more to it
than just that...
additionally, it is not just a "content" detection anywhere like in headers
which your rule would catch... VRT has numerous rules which work for detecting
items like this... in particular, the file-executable.rules which set flowbits
(without an alert) indicating that such a file was detected and then other rules
are used to detect if the flowbit is set as well as looking at other aspects of
the data to determine if an alert should be fired for policy violations or
malware or such...
so basically, you cannot detect an EXE file simply by looking for ".exe" in the
traffic... you have to detect the signature of an executable binary... that
means looking inside binary files to see what is uniform to be used for detection...
> Also, in which rule files are the emerging threat rules 2000419 and 2015744?
Threats and completely separate from the VRT rules...
waldo kitty
> On 5/4/2013 16:34, tarik shalo wrote:
>> Hi,
>>
>> I had to collect and put your responses from the mailing list into this
>> email, because I didn't get the reply messages in my email.
>
> i don't know how others do it but i only reply to the list unless special
> circumstances are in play... you should be getting all messages from the list...
> if you aren't, you might want to check our spam bucket ;)
Caleb Jaren
Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files.
On May 4, 2013 7:30 PM, "waldo kitty" <wkit...@windstream.net> wrote:
>
> On 5/4/2013 16:34, tarik shalo wrote:
> > Hi,
> >
> > I had to collect and put your responses from the mailing list into this
> > email, because I didn't get the reply messages in my email.
>
> i don't know how others do it but i only reply to the list unless special
> circumstances are in play... you should be getting all messages from the list...
> if you aren't, you might want to check our spam bucket ;)
>
> > Anyway, What I was trying to accomplish was to write a rule that fires when
> > executable files are downloaded from any web server. For that, I put .exe
> > file in a web server and requested that file via httpfrom the machine that
> > runs Snort. After removing the"flow:to_server,established" from the rule,
> > the rule fired but from your responses, I think I was not doing it the right
> > way. Could you suggest me a better way?
>
> well, the thing is that detecting the extension is not going to be complete...
> you need to detect the binary signature(s)... some DOS/Winwhatever EXEs start
> with MZ while most of todays stuff starts with PE but there's a bit more to it
> than just that...
>
> additionally, it is not just a "content" detection anywhere like in headers
> which your rule would catch... VRT has numerous rules which work for detecting
> items like this... in particular, the file-executable.rules which set flowbits
> (without an alert) indicating that such a file was detected and then other rules
> are used to detect if the flowbit is set as well as looking at other aspects of
> the data to determine if an alert should be fired for policy violations or
> malware or such...
>
> so basically, you cannot detect an EXE file simply by looking for ".exe" in the
> traffic... you have to detect the signature of an executable binary... that
> means looking inside binary files to see what is uniform to be used for detection...
>
> > Also, in which rule files are the emerging threat rules 2000419 and 2015744?
>
> those are in the Emerging Threats rules set... it is distributed by Emerging
> Threats and completely separate from the VRT rules...
>
Jeff Kell
Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files.
It's one thing to create a signature to detect a "known thing". It's another thing entirely to reduce or eliminate false positives.
The former will gain you points on the "canned" IDS/IPS test suites. The latter will gain you points in the real world.
Jeff
waldo kitty
> On 5/5/2013 1:51 AM, Caleb Jaren wrote:
>>
>> Try flow:from_server,established; and instead of the string ".exe" try
>> content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the
>> beginning of most PE files.
>
> And based on that alone, on any random data stream matching on two bytes "4d 5a"
> you're going to get a hit every 64K data packets. If you're including
> SSL/TLS/VPN/etc encrypted traffic you're going to hit.
indication as well as being restricted to the proper buffer...
> It's one thing to create a signature to detect a "known thing". It's another
> thing entirely to reduce or eliminate false positives.
> The former will gain you points on the "canned" IDS/IPS test suites. The latter
> will gain you points in the real world.
tarik shalo
Hi,
I edited the rule based on ur comment, "Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files."
But the rule didn't fire. Are there some executables that i can use to test for which there are corresponding Snort rules that catch them?
-Thanks again guys for the help and lessons that i am learning from your responses.
Shalo
Shields, Joseph (NIH/NIEHS) [C]
I’ve been able to find the 2000419 rule within the emerging threats rule file, however, I have not been able to find the 2015744 rule. I have spent some time searching and after no success thought I’d ask for some assistance. This is the link I used:
http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
Thanks for the help.
Brian
From: Caleb Jaren [mailto:tropism...@gmail.com]
Sent: Sunday, May 05, 2013 1:52 AM
To: waldo kitty
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] .exe
Try flow:from_server,established; and instead of the string ".exe" try content:"|4d 5a|"; which is equivalent to the text string "MZ" found at the beginning of most PE files.
On May 4, 2013 7:30 PM, "waldo kitty" <wkit...@windstream.net> wrote:
Joel Esler
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:service http, service imap, service pop3; classtype:policy-violation; sid:15306; rev:17;)
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
tarik shalo
Joel Esler
tarik shalo
Joel Esler
waldo kitty
> I’ve been able to find the 2000419 rule within the emerging threats rule file,
> however, I have not been able to find the 2015744 rule. I have spent some time
> searching and after no success thought I’d ask for some assistance. This is the
> link I used:
that rule you can't find may be in the ET Pro set... you should perhaps ask
about this in the emerging threats list unless one of us who use ET's offerings
can confirm that it is in their Pro set... i cannot at this time as i don't
(yet) use the Pro set from ET or VRT...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________