Re: MP3's are evil... Searching for traffic based upon uploaded file type...

["Isherwood, Jeffrey - IS" <Jeffrey.Isherwood () itt com>]

Well, the false positives I was getting originally were from the "content" part of the rule being too loose.   If 
anybody did something where .mp3 was listed in the session it triggered, rather just when someone uploaded one...

I thought at first to try and limit my search to HTTP POSTs but thought about it some more and since there is certainly 
more than one way to upload a file, I figured that I should not limit it to HTTP POST... that's when I decided to try 
the PCRE version instead... however I can't seem to make the alert go off now.  I could set off the Rev:4 version below 
by simply chatting with you or using an unencrypted email outbound with .mp3 in it.  Even going to a website that had 
.mp3 on the page seemed to trigger the Rev:4 (content) version.

Now that I'm trying the Rev:7 (PCRE) version below I can't seem to trigger it to make sure it works.  I went to an 
unencrypted website that allows me to upload files, and tried to load one via its java front end and the alert did not 
fire... so I think I'm missing something...

Shane suggested I look at the ET rules for an MP3 alert they have, I'll go take a poke at them...



From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Thursday, August 05, 2010 12:21 PM
To: Isherwood, Jeffrey - IS
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

As an aside, you can try, instead of removing your content, put it in addition to your PCRE.

Place your pcre after your content and it's modifiers, and see if that makes a difference.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:


Trying to fine tune some rules and remove false positives...  I was originally using the rule below to try and detect 
possible policy violations of anyone uploading MP3s from the internal network to the internet:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; 
flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )

It was catching false positives and so I'm trying this one, but something seems to be lacking...

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; 
flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; 
rev:7; )


________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual 
or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily 
represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of 
viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users