[Snort-sigs] RAR File Detection

James Lay jlay at ...3266...
Fri Oct 11 20:09:32 EDT 2013


On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" <richard.ginski at ...3849...> wrote:

> Hi,
>  
> I am new to the list and fairly-new to SNORT rule writing.
>  
> I am trying to create a snort rule that detects “rar” files exiting our network…regardless of protocol/service. (I am assuming clear text-type protocols will only work here.) I am unable to create a rule that will fire on the criteria I have supplied for that rule.
>  
> In the content of the rule, I have tried using hex (“52 61 72 21 1A 07” to cover both versions of rar)  and also ascii (“Rar!”, with case sensitivity enabled/disabled). I did not define depth nor offset so that the entire payload is examined. I also performed a packet capture to confirm that both values for content exist in the payload of the packet capture. Further, to eliminate them as a potential cause, I also have replaced the variables with known IP values of the traffic captured. Still no luck.
>  
> Below are the rules I’ve tried:
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; )
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; )
> 
> Richard Ginski, CISSP
> URS  |  IT Corporate Security, Security Engineer |  7650 West Courtney Campbell Causeway, Tampa, FL  33607
> | desk 813.675.6851
>  
>  

Live traffic or pcap testing?  If pcap add a -k none to your snort line.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131011/f2f18e58/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131011/f2f18e58/attachment.sig>


More information about the Snort-sigs mailing list