[Snort-devel] File magic rules for 2.9.6, what options are required?

Joshua Kinard kumba at ...2185...
Fri Dec 27 20:14:54 EST 2013


On 12/27/2013 5:22 PM, Victor Roemer wrote:

> 4. Attached is the Sourcefire "file_magic.conf" that contains a load of
> rules for identifying file types. When we originally put this together, the
> "ver" keyword was, at the time, not used.
> 
> We had intended on releasing this file with the Snort 2.9.6 beta package,
> however we will be releasing this with 2.9.6 proper when the time comes.

Thanks!  This will explain things a lot better.  For kicks, I added a file
magic that, although rare, may not be totally extinct from networks just yet:

file type:NETWARE_NLM; id:172; category:Executables; msg:"Novell NetWare
Loadable Module (NLM)"; rev:1; content:|4e 65 74 57 61 72 65 20 4c 6f 61 64
61 62 6c 65 20 4d 6f 64 75 6c 65|; offset:0;

That content match quite literally spells out "NetWare Loadable Module",
from offset zero.  Can't get any more definitive than that, eh?

--J




More information about the Snort-devel mailing list