[Snort-sigs] Sql Bakups Snort Rule

Joseph Pierini Joseph.Pierini at ...3117...
Wed Jul 20 11:30:36 EDT 2005


Can someone point me in the right direction? I'm looking for information on
how to write a snort rule that would look for DB files being transferred
from a server with file extensions of MDF, LDK BAK or TRN. 

 

I've started with something like this, but it's not working: 

 

alert tcp any any -> any any (content:"/"; nocase;
pcre:"/filename\s*=\s*.*?\.(?=ldf|mdf|trn|bak)[\x27\x22\n\r\s]/iR";msg:"Poss
ible transfer of DB Backup file!"; classtype:successful-admin; priority:1;)

 

This gets anything with .bak, including URL's such as www.bakershoes.com
<http://www.bakershoes.com/> , so it's not very useful.

 

alert tcp any any -> any any (content:".bak"; nocase; msg:"Possible transfer
of DB Backup file!"; classtype:successful-admin; priority:1;)

 

 

Thank you in advance for your kindness,

 

Joseph Pierini, CISSP | Mgr. of Security Eng & Compliance

MarketLive, Inc.

625 Second St

Petaluma, CA 94952

Phn: 707-773-3434

Mbl: 707-758-6573

Joseph.Pierini at ...3118... <mailto:Joseph.Pierini at ...3118...> 

PGP <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x94DA8372>  Public
Key

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050720/47885ace/attachment.html>


More information about the Snort-sigs mailing list