[Snort-sigs] RAR File Detection

James Lay jlay at ...3266...
Mon Oct 14 11:00:12 EDT 2013


On 2013-10-14 07:05, Ginski, Richard wrote:
> The packet capture to determine payload was performed using 
> WireShark.
>
>
> RICHARD GINSKI, CISSP
>
> URS | IT Corporate Security, Security Engineer | 7650 West Courtney
> Campbell Causeway, Tampa, FL 33607
>
> | desk 813.675.6851
>
> This e-mail and any attachments contain URS Corporation confidential
> information that may be proprietary or privileged. If you receive 
> this
> message in error or are not the intended recipient, you should not
> retain, distribute, disclose or use any of this information and you
> should destroy the e-mail and any attachments or copies.
>
> FROM: James Lay [mailto:jlay at ...3266...]
>  SENT: Friday, October 11, 2013 8:10 PM
>  TO: Snort-Sigs
>  SUBJECT: Re: [Snort-sigs] RAR File Detection
>
> On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" 
> <richard.ginski at ...3849...
> [1]> wrote:
>
> Hi,
>
> I am new to the list and fairly-new to SNORT rule writing.
>
> I am trying to create a snort rule that detects "rar" files exiting
> our network…regardless of protocol/service. (I am assuming clear
> text-type protocols will only work here.) I am unable to create a 
> rule
> that will fire on the criteria I have supplied for that rule.
>

>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
> content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please
> Ignore"; classtype:Test; rev:40; )
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
> content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore";
> classtype:Test; rev:40; )
>

Did you giver that -k none a go on your command line?

James





More information about the Snort-sigs mailing list