I’m new to utilizing snort and am making an attempt to write down a rule that alerts when content material consists of ".exe". My native.guidelines has this
alert tcp any any -> any any ( msg:"Sus .exe bundle"; content material:"|2e|exe"; sid:1000004; rev:1;)
This rule appears to be working wonderful for this 2018/03/16 Gandcrab pcap file however not for this 2013/11/15 Gondad pcap file
These are the tcp streams from wireshark. What am I doing mistaken?
One other factor I seen is that if I take advantage of utility/octet-stream within the guidelines content material subject it seams to be working as supposed. However octet-stream do not at all times suggest .exe information (atleast from what I perceive from this submit)
