NF – Request for PNG file but sending binary file

The rule detects a scenario where an HTTP server responds to a request for a JPG file with a binary file that contains the string "This program cannot be run in DOS mode." This type of response may indicate that an exe was sent under a cover of a picture and might point on a malicius activity

Categories:

ID Number

5026002

Signature

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Request for PNG file but sending binary file"; flow:from_server,established; content:"200"; http_stat_code; content:"|21|This program cannot be run in DOS mode|2e|"; flowbits:isset,NF-RFPNG; reference:url,networkforensic.dk; metadata:07072018; classtype:misc-activity; sid:5026002; rev:1;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

Configure your network security devices (e.g., firewalls, proxies) to block the transmission of executable files (such as .exe) over HTTP traffic. Preventing the delivery of potentially malicious executable files can reduce the risk of malware infections. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.