Morning team Emerging threats
can please advise if there is another software that can verify and validate this below signature rule as an alert, nexsus and malware byte scans have proven futile in raising alerts of this rule except for security onion
https://doc.emergingthreats.net/2019714
Appreciate your advise and assistance
Thanks
Hi @prime69!
Thanks for reaching out! This signature is basically just looking for HTTP requests that download an executable with a suspicious filename which is a little generic and makes the rule more prone to false positives. This link shows some examples of true positives that will trigger the signature.
Here is a breakdown of what the
pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/";
[A-Z]? - The executable name can start with a capital letter but it is not required.[a-z]{1,3} - There must be at least three consecutive lowercase characters.[0-9]? - The executable name can end in a digit but it is not required.\.exe$ - The filename/url must end .exeIf you have an example URL or pcap you can share Iām happy to take a look and make any adjustments to the signature if we need to!
Thanks,
Isaac
Thanks Isaac
for the insight, apologise i keep forgetting to add the pcap
will make sure i add it for the next alert
Regards
Joseph