Snort mailing list archives

sid: 2012647 How to understand user upload file to the server, or download

From: Сергей Малинкин <malinkinsa () gmail com>
Date: Wed, 29 Jan 2014 16:57:51 +0400

Hello!

I just recently started using snort.

I have a question about one rule, set out in the the message subject:)


Testing a rule, if I upload a file through the client to the server or the
client takes dropboksa file from a server on my computer I get the following
message:

[**] [1:2012647:3] ET POLICY Dropbox.com Offsite File Backup in Use [**] [
Classification: Potential Corporate Privacy Violation] [Priority: 1] 01/29-
22:52:30.221035 XXX.XXX.XXX.XXX:28152 -> 108.160.162.33:80 TCP TTL:41 TOS:
0x0 ID:2084 IpLen:20 DgmLen:293 DF ***A**** Seq: 0xD0A65C80 Ack: 0x9A9A3FE7
Win: 0x3CB8 TcpLen: 20

But I want to somehow distinguish a download or upload information.
Maybe somebody did something similar.


Thank you!

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

sid: 2012647 How to understand user upload file to the server, or download Сергей Малинкин (Jan 29)
- Re: [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download Y M (Feb 04)