[Snort-sigs] Sql Bakups Snort Rule
Joseph.Pierini at ...3117...
Wed Jul 20 11:30:36 EDT 2005
Can someone point me in the right direction? I'm looking for information on
how to write a snort rule that would look for DB files being transferred
from a server with file extensions of MDF, LDK BAK or TRN.
I've started with something like this, but it's not working:
alert tcp any any -> any any (content:"/"; nocase;
ible transfer of DB Backup file!"; classtype:successful-admin; priority:1;)
This gets anything with .bak, including URL's such as www.bakershoes.com
<http://www.bakershoes.com/> , so it's not very useful.
alert tcp any any -> any any (content:".bak"; nocase; msg:"Possible transfer
of DB Backup file!"; classtype:successful-admin; priority:1;)
Thank you in advance for your kindness,
Joseph Pierini, CISSP | Mgr. of Security Eng & Compliance
625 Second St
Petaluma, CA 94952
Joseph.Pierini at ...3118... <mailto:Joseph.Pierini at ...3118...>
PGP <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x94DA8372> Public
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs