Snort configuration for detecting exe in network flow [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

This question is in reference to the question Detecting exe 32/64bit. In a network flow, would an exe download still maintain this information for each packet?

How can I leverage the use of P E 00 00 64 86 or P E 00 00 4C 01 logic in snort? Would I have to use some sort of stream re-assembler like stream5 that comes with snort to map packets to file and then look for the content?

On trying this in snort out of the box I got alerts for every packet of the exe that was downloaded. I am trying to understand how is the file data divided into packets and how can we verify that an individual packet contains data that's a part of an exe (32/64 bit)?

Answer 1

Figured out the alerts being triggered for each packet of the exe download. Snort uses stream5 by default out of the box and reassembles all the packets for you when you issue a content match rule.

Thus what was happening was that everytime a raw packet was coming in, it would be reassembled with the earlier packets in the stream and matched with the properties in the rule. Hence this would be repeated everytime a packet comes in.

Setting stream5_global: show_rebuilt_packets in snort.conf would show packets as they are rebuilt. You could also try running snort with snort -A cmg .. to see where the logs are coming from i.e. see the assembled packets at each stage.

However its still not clear how snort can be easily integrated with a data carving tool to extract files from packet captures and if it can be done inline.