Snort mailing list archives
Re: MP3's are evil... Searching for traffic based upon uploaded file type...
From: "Isherwood, Jeffrey - IS" <Jeffrey.Isherwood () itt com>
Date: Thu, 5 Aug 2010 13:09:26 -0400
Well, the false positives I was getting originally were from the "content" part of the rule being too loose. If anybody did something where .mp3 was listed in the session it triggered, rather just when someone uploaded one... I thought at first to try and limit my search to HTTP POSTs but thought about it some more and since there is certainly more than one way to upload a file, I figured that I should not limit it to HTTP POST... that's when I decided to try the PCRE version instead... however I can't seem to make the alert go off now. I could set off the Rev:4 version below by simply chatting with you or using an unencrypted email outbound with .mp3 in it. Even going to a website that had .mp3 on the page seemed to trigger the Rev:4 (content) version. Now that I'm trying the Rev:7 (PCRE) version below I can't seem to trigger it to make sure it works. I went to an unencrypted website that allows me to upload files, and tried to load one via its java front end and the alert did not fire... so I think I'm missing something... Shane suggested I look at the ET rules for an MP3 alert they have, I'll go take a poke at them... From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, August 05, 2010 12:21 PM To: Isherwood, Jeffrey - IS Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type... As an aside, you can try, instead of removing your content, put it in addition to your PCRE. Place your pcre after your content and it's modifiers, and see if that makes a difference. Joel On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote: Trying to fine tune some rules and remove false positives... I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; ) It was catching false positives and so I'm trying this one, but something seems to be lacking... alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; ) ________________________________ This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rule efficiency, (continued)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Joel Esler (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency Alex Tatistcheff (Sep 07)