Re: query about preprocessor design

[Jason Brvenik <jasonb () sourcefire com>]

Bah, why go for hrdatabase.xls when you could go for 20090715ACH.xls
and 20092HPROMOTIONS.xls?

On Thu, Jul 9, 2009 at 6:25 PM, Jason Haar<Jason.Haar () trimble co nz> wrote:
> Hi there
>
> I was looking over README.dcerpc2 to see all the work that's gone into the
> CIFS/SMB/DCE protocols. The preprocessor allows snort to "see" things like
> connecting to shares - and you can even set up preprocessor-based alerts
> based on connection attempts against a list of "watchable" share names. All
> fine and good.
>
> However, my question is why is this done as a preprocessor option instead of
> a rule option? i.e. why is it "smb_invalid_shares" instead of rule option
> "dce_sharename"? It appears to be that preprocessors should limit their
> alerts to protocol inconsistencies - not standard functionality.
>
> I mean, isn't snort generally inconsistent at the moment? We have
> "uricontent" as a rule option - even though it's specific to HTTP, so there
> is precedence. I'd love to see options like "dce_sharename", "dce_filename"
> - as they have immediate value in the DLP (Data Loss Prevention) arena -
> somewhere I suspect Sourcefire is interested in? If I allow myself to get
> all overexcited, I'd even go as far as saying there should be a generic
> "filename" rule option - and that all the preprocessors you enable will add
> towards that definition. eg. enabling SMTP, FTP, HTTP and DCE preprocessors
> will enable snort to track a filename movement as email attachments,
> FTP/HTTP "PUT/POST" and Samba/CIFS transfers. e.g. I'd love to track
> "hrdatabase.xls" (I'm kidding!!!) around the network.
>
> Time for my meds ;-)
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users