NF – Host name with IP address sending exe file

The rule detects HTTP responses containing an executable file (exe file) being served from a web server with a host name that includes an IP address. This could indicate potentially suspicious or malicious activity, as legitimate web servers typically use domain names in their host names, not IP addresses.

Categories:

ID Number

5026006

Signature

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Host name with IP address sending exe file"; flow:from_server,established; content:"200"; http_stat_code; content:"|21|This program cannot be run in DOS mode|2e|"; flowbits:isset,NF-IPHOST; reference:url,networkforensic.dk; metadata:08092018; classtype:misc-activity; sid:5026006; rev:1;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

Configure your network security devices (e.g., firewalls, proxies) to block the transmission of executable files (such as .exe) over HTTP traffic. Preventing the delivery of potentially malicious executable files can reduce the risk of malware infections. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.