Detection Rules Using Snort

UpdatedOctober 7, 2025

•1 min read

Task :

Writing 3 different detection rules for detecting any executable download (IDS MODE)

Snort Installation :

Writing rules in Snort :

nano /etc/snort/rules/local.rules

and paste

alert tcp any any -> any 80 (msg:"Executable Download Detected (.exe)"; flow:to_client,established; content:".exe"; nocase; http_uri; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:"Executable MIME Download Detected"; flow:to_client,established; content:"application/x-msdownload"; http_header; nocase; sid:1000002; rev:1;)
alert tcp any any -> any 80 (msg:"Executable Binary Payload Detected (MZ header)"; flow:to_client,established; content:"MZ"; offset:0; depth:2; sid:1000003; rev:1;)

Testing :

Run Snort in a terminal:

sudo snort -c /etc/snort/snort.conf -r Downloads/1.pcap -A fast

Link of the pcap file Download

Sheet Cheat Link Download

Comments (1)

Join the discussion

Bonnie Olivia8mo ago

Thanks for being patience with me. All my questions were answered and the support continued even after the delivery of the service . I will continue to work with you and I have already started referring family to you that needed similar assistance. Thanks JBEE SPY TEAM on telegram +44 7456 058620

More from this blog

ELK Setup, Log Ingestion & Attack Detection

Required Tasks Installing & configuring Elasticsearch Installing & configuring Kibana Connecting Elasticsearch with Kibana Installing & configuring Fluentbit Installing & Configuring Winlogbeat Writing detection rules & simulating a suspicious ...

Oct 8, 20253 min read

ELK Setup, Log Ingestion & Attack Detection

block all traffic to/from a domain by Bash Script

Target: Create a Bash script to block all traffic to/from a domain Youtube by resolving its IPs , then save the info to a file. Setup Environment First of all I create a directory for the task and create the script file with the extension .sh ...

Oct 6, 20251 min read

block all traffic to/from a domain by Bash Script

Step-by-Step: Kali Attacks vs (WAF) on Ubuntu using Nginx & ModSecurity with OWASP Core Rule Set (CRS)

sa sudo apt install -y git gcc g++ make automake autoconf libtool libpcre3 libpcre3-dev \ libxml2 libxml2-dev libyajl-dev pkgconf zlib1g zlib1g-dev libcurl4-openssl-dev \ libgeoip-dev liblmdb-dev libfuzzy-dev liblua5.3-dev libpcre2-dev nginx wget cur...

Oct 3, 20251 min read

Step-by-Step: Kali Attacks vs (WAF) on Ubuntu using Nginx & ModSecurity with OWASP Core Rule Set (CRS)

MAC Spoofing

Target : Change the Logical MAC Address Every 3 Minutes on Windows MAC Spoofing With Python import ctypes, sys, subprocess, random, time INTERFACE = "Wi-Fi" def is_admin(): try: return ctypes.windll.shell32.IsUserAnAdmin() except: ...

Oct 3, 20252 min read

Nader Elgezawy 🥷

5 posts

Command Palette