Project

General

Profile

Actions

Support #1533

closed

Potential problem with detecting Windows EXE download

Added by Guru Medidation over 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi,

I am using SELKS 2.0, recently upgraded, no changes to default settings.
I have noticed something strange with the ET Policy alert related to Windows download.

Basically, if I update one of my Windows box, it downloads around 30 exe/DLL Suricata only generates 2 alerts: 2018959
There should be dozens of alert generated!
On a different NSM using Snort, monitoring the same network I get what is expected an 30 or 40 alerts. the alerts I get are in fact different, they fire rule: 2000419

Something a bit more confusing, If I look for rule 2000419 in Suricata, I can't find it!
but rule 2018959 does reference rule 2000419 as show here:

scirius.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:2;)

I don't understand why:
- I can't find rule 2000419 in Suricata (has it been superseeded by 2018959? but I thought Suricata and Snort were using the same ET rule set
- Why don't I get all the warnings in Suricata? Is it some kind of setting in /etc/suricata/suricata.yaml? if so could you please help me how to see all the warnings and not just 2?

This is Suricata version 2.1dev (rev 834c366)

Thanks.
B.


Files

windows_2000419.pcap (48 KB) windows_2000419.pcap Guru Medidation, 08/22/2015 02:34 PM
Actions

Also available in: Atom PDF