Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RAR File Detection

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 11 Oct 2013 18:09:32 -0600

On Oct 11, 2013, at 1:19 PM, "Ginski, Richard" <richard.ginski () urs com> wrote:


Hi,
 
I am new to the list and fairly-new to SNORT rule writing.
 
I am trying to create a snort rule that detects “rar” files exiting our network…regardless of protocol/service. (I am 
assuming clear text-type protocols will only work here.) I am unable to create a rule that will fire on the criteria 
I have supplied for that rule.
 
In the content of the rule, I have tried using hex (“52 61 72 21 1A 07” to cover both versions of rar)  and also 
ascii (“Rar!”, with case sensitivity enabled/disabled). I did not define depth nor offset so that the entire payload 
is examined. I also performed a packet capture to confirm that both values for content exist in the payload of the 
packet capture. Further, to eliminate them as a potential cause, I also have replaced the variables with known IP 
values of the traffic captured. Still no luck.
 
Below are the rules I’ve tried:
 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"|52 61 72 21 1A 07|"; msg:"RAR file 
Detected_Testing_Please Ignore"; classtype:Test; rev:40; )
 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"Rar!"; msg:"RAR file 
Detected_Testing_Please Ignore"; classtype:Test; rev:40; )

Richard Ginski, CISSP
URS  |  IT Corporate Security, Security Engineer |  7650 West Courtney Campbell Causeway, Tampa, FL  33607
| desk 813.675.6851
 
 


Live traffic or pcap testing?  If pcap add a -k none to your snort line.

James

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: