alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, updated_at 2017_02_01;)

Added 2019-04-24 19:04:36 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3; metadata:created_at 2014_08_19, updated_at 2017_02_01;)

Added 2018-09-13 19:49:09 UTC

I am using the emerging threat rules in my Snort IPS. I am disabling some of the rules by using Barnyard2 and the disablesid.conf mechanism. Two of the rules that I am disabling are sid:2000419 and id:2018959. I have the entries in disablesid.conf in numeric order so sid:2000419 is processed prior to sid:2018959. When Barnyard2 processes the disablesid.conf file, it disables sid:2000419 but doesn't disable sid:2018959. I believe that this happens because when Barnyard2 is parsing the entry for sid:2018959 it finds 2000419 in the rule in "reference:url,doc.emergingthreats.net/bin/view/Main/2000419;" and, since it has already disabled sid:2000419 it skips disabling sid:2018959. I believe that my problem would be solved by changing the "reference:.." from 2000419 to 2018959. Thank you.

-- JamesCampbell - 2018-11-16

Additional information: I commented out the entry for sid:2000419 in the disablesid.conf. Re-running Barnyard2 resulted in sid:2000419 being disabled but not sid:2018959. Barnyard2 reported that it had processed all the disablesid.conf records and skipped none.

I believe that this proves that having two sid numbers in the same record is what is causing my problem. Please remove or change the 2000419 in the sid:2018959 rule record.

-- JamesCampbell - 2018-11-16


Added 2018-09-13 17:58:54 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3; metadata:created_at 2014_08_19, updated_at 2017_02_01;)

Added 2017-08-07 21:13:07 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3;)

Added 2017-02-01 18:33:05 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:2;)

Added 2014-08-19 16:22:04 UTC

I think this rule should be updated to include

pcre: '/^((?!\.windowsupdate\.com).)*$/im'

as all Windows machines generate loads of auto-update alerts due to this rule... Thoughts?

-- ScottNursten - 2017-02-01

Thanks, we'll get this fixed up today!

-- DarienH - 2017-02-01


Topic revision: r4 - 2018-11-16 - JamesCampbell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats