[Snort-sigs] RAR File Detection

James Lay jlay at ...3266...
Mon Oct 14 11:33:11 EDT 2013


On 2013-10-14 09:26, Ginski, Richard wrote:
> I'm sorry. What command for what tool would I add the "-k none" to?
>

Snort....


>>
>> I am new to the list and fairly-new to SNORT rule writing.
>>
>> I am trying to create a snort rule that detects "rar" files exiting
>> our network…regardless of protocol/service. (I am assuming clear
>> text-type protocols will only work here.) I am unable to create a 
>> rule
>> that will fire on the criteria I have supplied for that rule.
>>
>
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
>> content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please
>> Ignore"; classtype:Test; rev:40; )
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
>> content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore";
>> classtype:Test; rev:40; )
>>
>
> Did you giver that -k none a go on your command line?
>
> James





More information about the Snort-sigs mailing list