Snort mailing list archives
Re: [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download
From: Y M <snort () outlook com>
Date: Tue, 4 Feb 2014 09:19:00 +0000
This will largely depend on how you have your $HOME_NET and $EXTERNAL_NET configured in your snort.conf file. From the rule perspective, this will depend on: - Direction of your rule $HOME_NET -> $EXTERNAL_NET or $EXTERNAL_NET -> $HOME_NET - Since the below rule seems to be alerting on TCP, then you have to check the flow direction in the rule if there is any. - Whether the content match in the rule will satisfy the content pattern regardless of direction. YM Date: Wed, 29 Jan 2014 16:57:51 +0400 From: malinkinsa () gmail com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download Hello! I just recently started using snort. I have a question about one rule, set out in the the message subject:) Testing a rule, if I upload a file through the client to the server or the client takes dropboksa file from a server on my computer I get the following message: [**] [1:2012647:3] ET POLICY Dropbox.com Offsite File Backup in Use [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 01/29-22:52:30.221035 XXX.XXX.XXX.XXX:28152 -> 108.160.162.33:80 TCP TTL:41 TOS:0x0 ID:2084 IpLen:20 DgmLen:293 DF ***A**** Seq: 0xD0A65C80 Ack: 0x9A9A3FE7 Win: 0x3CB8 TcpLen: 20 But I want to somehow distinguish a download or upload information. Maybe somebody did something similar. Thank you! ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid: 2012647 How to understand user upload file to the server, or download Сергей Малинкин (Jan 29)
- Re: [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download Y M (Feb 04)