Snort mailing list archives
Re: File magic rules for 2.9.6, what options are required?
From: Joshua Kinard <kumba () gentoo org>
Date: Fri, 27 Dec 2013 20:14:54 -0500
On 12/27/2013 5:22 PM, Victor Roemer wrote:
4. Attached is the Sourcefire "file_magic.conf" that contains a load of rules for identifying file types. When we originally put this together, the "ver" keyword was, at the time, not used. We had intended on releasing this file with the Snort 2.9.6 beta package, however we will be releasing this with 2.9.6 proper when the time comes.
Thanks! This will explain things a lot better. For kicks, I added a file magic that, although rare, may not be totally extinct from networks just yet: file type:NETWARE_NLM; id:172; category:Executables; msg:"Novell NetWare Loadable Module (NLM)"; rev:1; content:|4e 65 74 57 61 72 65 20 4c 6f 61 64 61 62 6c 65 20 4d 6f 64 75 6c 65|; offset:0; That content match quite literally spells out "NetWare Loadable Module", from offset zero. Can't get any more definitive than that, eh? --J ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Hui Cao (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Victor Roemer (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)