Snort POLICY PE EXE or DLL Windows file download alert
-
Howdy folks,
Getting a lot of ET POLICY PE EXE or DLL Windows file download alerts and being a newbie not sure what this is. I have noticed that whatever it is is trying many ports. Any guidance or advice would be appreciated.
Thanks!
-
In the alerts page, find the policy and click the suppress icon to add a suppress rule to the interface.
You can find the surpress rule in the Services, Snort, Suppress tab, where you will see one or more entries like so
wansuppress_5437e6139435f
lansuppress_544229bb9e947In side the suppress rule you will see something like
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419This is your basic suppress rule which will not block any Windows PE file. PE is just the name given to the format of the windows exe and dll's. http://en.wikipedia.org/wiki/Portable_Executable
You can also tweak the rules a bit to suit your needs better.
These threads might be useful.
https://forum.pfsense.org/index.php?topic=61018.msg339645#msg339645
https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417