[Snort-sigs] RAR File Detection

Ginski, Richard richard.ginski at ...3849...
Mon Oct 14 11:26:51 EDT 2013


I'm sorry. What command for what tool would I add the "-k none" to?






Richard Ginski, CISSP
URS  |  IT Corporate Security, Security Engineer |  7650 West Courtney Campbell Causeway, Tampa, FL  33607
| desk 813.675.6851 


This e-mail and any attachments contain URS Corporation confidential information that may be proprietary or privileged. If you receive this message in error or are not the intended recipient, you should not retain, distribute, disclose or use any of this information and you should destroy the e-mail and any attachments or copies.


-----Original Message-----
From: James Lay [mailto:jlay at ...3266...] 
Sent: Monday, October 14, 2013 11:00 AM
To: Snort-Sigs
Subject: Re: [Snort-sigs] RAR File Detection

On 2013-10-14 07:05, Ginski, Richard wrote:
> The packet capture to determine payload was performed using WireShark.
>
>
> RICHARD GINSKI, CISSP
>
> URS | IT Corporate Security, Security Engineer | 7650 West Courtney 
> Campbell Causeway, Tampa, FL 33607
>
> | desk 813.675.6851
>
> This e-mail and any attachments contain URS Corporation confidential 
> information that may be proprietary or privileged. If you receive this 
> message in error or are not the intended recipient, you should not 
> retain, distribute, disclose or use any of this information and you 
> should destroy the e-mail and any attachments or copies.
>
> FROM: James Lay [mailto:jlay at ...3266...]
>  SENT: Friday, October 11, 2013 8:10 PM
>  TO: Snort-Sigs
>  SUBJECT: Re: [Snort-sigs] RAR File Detection
>
> On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" 
> <richard.ginski at ...3849...
> [1]> wrote:
>
> Hi,
>
> I am new to the list and fairly-new to SNORT rule writing.
>
> I am trying to create a snort rule that detects "rar" files exiting 
> our network…regardless of protocol/service. (I am assuming clear 
> text-type protocols will only work here.) I am unable to create a rule 
> that will fire on the criteria I have supplied for that rule.
>

>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
> content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please 
> Ignore"; classtype:Test; rev:40; )
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; 
> content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore"; 
> classtype:Test; rev:40; )
>

Did you giver that -k none a go on your command line?

James


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


More information about the Snort-sigs mailing list