Some simple Snort IDS/IPS rules for directional RAR file detection.
RAR File Extension and Header Detection Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound RAR Extension, /.rar/i ASCII Match Detected"; flow:established; content:".rar"; classtype:policy-violation; sid:99991; nocase; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound RAR Extension, /.rar/i ASCII Match Detected"; flow:established; content:".rar"; classtype:policy-violation; sid:99992; nocase; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound RAR File Header Detected In TCP Payload"; flow:established; content:"|52 61 72 21 1A 07 00|"; classtype:policy-violation; sid:99993; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound RAR File Header Detected In TCP Payload"; flow:established; content:"|52 61 72 21 1A 07 00|"; classtype:policy-violation; sid:99994; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound RAR File Header Detected In UDP Payload"; flow:established; content:"|52 61 72 21 1A 07 00|"; classtype:policy-violation; sid:99995; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound RAR File Header Detected In UDP Payload"; flow:established; content:"|52 61 72 21 1A 07 00|"; classtype:policy-violation; sid:99996; rev:1;)