Re: File magic rules for 2.9.6, what options are required?

[Joshua Kinard <kumba () gentoo org>]

On 12/27/2013 5:22 PM, Victor Roemer wrote:

> 4. Attached is the Sourcefire "file_magic.conf" that contains a load of
> rules for identifying file types. When we originally put this together, the
> "ver" keyword was, at the time, not used.
>
> We had intended on releasing this file with the Snort 2.9.6 beta package,
> however we will be releasing this with 2.9.6 proper when the time comes.

Thanks!  This will explain things a lot better.  For kicks, I added a file
magic that, although rare, may not be totally extinct from networks just yet:

file type:NETWARE_NLM; id:172; category:Executables; msg:"Novell NetWare
Loadable Module (NLM)"; rev:1; content:|4e 65 74 57 61 72 65 20 4c 6f 61 64
61 62 6c 65 20 4d 6f 64 75 6c 65|; offset:0;

That content match quite literally spells out "NetWare Loadable Module",
from offset zero.  Can't get any more definitive than that, eh?

--J

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!