Snort POLICY PE EXE or DLL Windows file download alert
Getting a lot of ET POLICY PE EXE or DLL Windows file download alerts and being a newbie not sure what this is. I have noticed that whatever it is is trying many ports. Any guidance or advice would be appreciated.
In the alerts page, find the policy and click the suppress icon to add a suppress rule to the interface.
You can find the surpress rule in the Services, Snort, Suppress tab, where you will see one or more entries like so
In side the suppress rule you will see something like
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
This is your basic suppress rule which will not block any Windows PE file. PE is just the name given to the format of the windows exe and dll's. http://en.wikipedia.org/wiki/Portable_Executable
You can also tweak the rules a bit to suit your needs better.
These threads might be useful.