Re: MP3's are evil... Searching for traffic based upon uploaded file type...

[Joel Esler <jesler () sourcefire com>]

As an aside, you can try, instead of removing your content, put it in addition to your PCRE.

Place your pcre after your content and it's modifiers, and see if that makes a difference.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:

> Trying to fine tune some rules and remove false positives…  I was originally using the rule below to try and detect 
> possible policy violations of anyone uploading MP3s from the internal network to the internet:
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; 
> flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )
>  
> It was catching false positives and so I’m trying this one, but something seems to be lacking…
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; 
> flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; 
> rev:7; )

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users