Snort mailing list archives

Re: RAR File Detection

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 14 Oct 2013 09:00:12 -0600

On 2013-10-14 07:05, Ginski, Richard wrote:

The packet capture to determine payload was performed using 
WireShark.


RICHARD GINSKI, CISSP

URS | IT Corporate Security, Security Engineer | 7650 West Courtney
Campbell Causeway, Tampa, FL 33607

| desk 813.675.6851

This e-mail and any attachments contain URS Corporation confidential
information that may be proprietary or privileged. If you receive 
this
message in error or are not the intended recipient, you should not
retain, distribute, disclose or use any of this information and you
should destroy the e-mail and any attachments or copies.

FROM: James Lay [mailto:jlay () slave-tothe-box net]
 SENT: Friday, October 11, 2013 8:10 PM
 TO: Snort-Sigs
 SUBJECT: Re: [Snort-sigs] RAR File Detection

On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" 
<richard.ginski () urs com
[1]> wrote:

Hi,

I am new to the list and fairly-new to SNORT rule writing.

I am trying to create a snort rule that detects "rar" files exiting
our network…regardless of protocol/service. (I am assuming clear
text-type protocols will only work here.) I am unable to create a 
rule
that will fire on the criteria I have supplied for that rule.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please
Ignore"; classtype:Test; rev:40; )

alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1;
content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore";
classtype:Test; rev:40; )


Did you giver that -k none a go on your command line?

James


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

RAR File Detection Ginski, Richard (Oct 11)
- Re: RAR File Detection James Lay (Oct 11)
  - Re: RAR File Detection Ginski, Richard (Oct 14)
    - Re: RAR File Detection James Lay (Oct 14)
    - Re: RAR File Detection Ginski, Richard (Oct 14)
    - Re: RAR File Detection James Lay (Oct 14)