Snort configuration for detecting exe in network flow [closed]

0 投票
最新提问 用户: (160 分)

This question is in reference to the question Detecting exe 32/64bit. In a network flow, would an exe download still maintain this information for each packet?

How can I leverage the use of P E 00 00 64 86 or P E 00 00 4C 01 logic in snort? Would I have to use some sort of stream re-assembler like stream5 that comes with snort to map packets to file and then look for the content?

On trying this in snort out of the box I got alerts for every packet of the exe that was downloaded. I am trying to understand how is the file data divided into packets and how can we verify that an individual packet contains data that's a part of an exe (32/64 bit)?

发表于 用户: (1.2k 分)
This question should be moved to superuser, or security.
发表于 用户: (160 分)
it already has security tag
发表于 用户: (1.2k 分)
Yes, but stackoverflow is for programmers, not administrators. If you asked how to write a plugin to snort then yes this is the place:). But you're asking for configuration.
发表于 用户: (100 分)
This is a great question, but it's not about programming.
发表于 用户: (160 分)
@Fatfredyy the idea was to see if writing a custom plugin is a good way to go about it. This is by no means just a configuration issue. I actually ended up writing a custom plugin for this although there may have been an easier way to just write the snort rules in an intelligent manner.

1个回答

0 投票
最新回答 用户: (160 分)

Figured out the alerts being triggered for each packet of the exe download. Snort uses stream5 by default out of the box and reassembles all the packets for you when you issue a content match rule.

Thus what was happening was that everytime a raw packet was coming in, it would be reassembled with the earlier packets in the stream and matched with the properties in the rule. Hence this would be repeated everytime a packet comes in.

Setting stream5_global: show_rebuilt_packets in snort.conf would show packets as they are rebuilt. You could also try running snort with snort -A cmg .. to see where the logs are coming from i.e. see the assembled packets at each stage.

However its still not clear how snort can be easily integrated with a data carving tool to extract files from packet captures and if it can be done inline.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...