Snort mailing list archives
Re: RAR File Detection
From: "Ginski, Richard" <richard.ginski () urs com>
Date: Mon, 14 Oct 2013 13:05:43 +0000
The packet capture to determine payload was performed using WireShark. Richard Ginski, CISSP URS | IT Corporate Security, Security Engineer | 7650 West Courtney Campbell Causeway, Tampa, FL 33607 | desk 813.675.6851 This e-mail and any attachments contain URS Corporation confidential information that may be proprietary or privileged. If you receive this message in error or are not the intended recipient, you should not retain, distribute, disclose or use any of this information and you should destroy the e-mail and any attachments or copies. From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Friday, October 11, 2013 8:10 PM To: Snort-Sigs Subject: Re: [Snort-sigs] RAR File Detection On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" <richard.ginski () urs com<mailto:richard.ginski () urs com>> wrote: Hi, I am new to the list and fairly-new to SNORT rule writing. I am trying to create a snort rule that detects "rar" files exiting our network...regardless of protocol/service. (I am assuming clear text-type protocols will only work here.) I am unable to create a rule that will fire on the criteria I have supplied for that rule. In the content of the rule, I have tried using hex ("52 61 72 21 1A 07" to cover both versions of rar) and also ascii ("Rar!", with case sensitivity enabled/disabled). I did not define depth nor offset so that the entire payload is examined. I also performed a packet capture to confirm that both values for content exist in the payload of the packet capture. Further, to eliminate them as a potential cause, I also have replaced the variables with known IP values of the traffic captured. Still no luck. Below are the rules I've tried: alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; ) Richard Ginski, CISSP URS | IT Corporate Security, Security Engineer | 7650 West Courtney Campbell Causeway, Tampa, FL 33607 | desk 813.675.6851 Live traffic or pcap testing? If pcap add a -k none to your snort line. James
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RAR File Detection Ginski, Richard (Oct 11)
- Re: RAR File Detection James Lay (Oct 11)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 14)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 14)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 11)