Snort mailing list archives
Re: RAR File Detection
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 14 Oct 2013 09:33:11 -0600
On 2013-10-14 09:26, Ginski, Richard wrote:
I'm sorry. What command for what tool would I add the "-k none" to?
Snort....
I am new to the list and fairly-new to SNORT rule writing. I am trying to create a snort rule that detects "rar" files exiting our network…regardless of protocol/service. (I am assuming clear text-type protocols will only work here.) I am unable to create a rule that will fire on the criteria I have supplied for that rule.alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"|52 61 72 21 1A 07|"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:1002235; gid:1; content:"Rar!"; msg:"RAR file Detected_Testing_Please Ignore"; classtype:Test; rev:40; )Did you giver that -k none a go on your command line? James
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RAR File Detection Ginski, Richard (Oct 11)
- Re: RAR File Detection James Lay (Oct 11)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 14)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 14)
- Re: RAR File Detection Ginski, Richard (Oct 14)
- Re: RAR File Detection James Lay (Oct 11)