Snort mailing list archives
Re: MP3's are evil... Searching for traffic basedupon uploaded file type...
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Thu, 5 Aug 2010 10:08:03 -0600
There are a couple of emerging threat rules that directly detect mp3 file transfers, one for inbound and one for outbound. -- Shane Castle Data Security Mgr, Boulder County IT GSEC GCIH 303-441-3953 -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, August 05, 2010 09:54 To: Isherwood, Jeffrey - IS Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] MP3's are evil... Searching for traffic basedupon uploaded file type... What false positives were you catching? Maybe we can help you whittle those down. Joel On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote: Trying to fine tune some rules and remove false positives... I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; ) It was catching false positives and so I'm trying this one, but something seems to be lacking... alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; ) ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rule efficiency, (continued)
- Re: Rule efficiency Korodev (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Joel Esler (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency Alex Tatistcheff (Sep 07)