[Snort-sigs] Sql Bakups Snort Rule
nnposter at ...592...
Wed Jul 20 20:32:52 EDT 2005
Joseph Pierini <Joseph.Pierini at ...3117...> wrote:
> Can someone point me in the right direction? I'm looking for information on
> how to write a snort rule that would look for DB files being transferred
> from a server with file extensions of MDF, LDK BAK or TRN.
> I've started with something like this, but it's not working:
> alert tcp any any -> any any (content:"/"; nocase;
> msg:"Possible transfer of DB Backup file!";
> classtype:successful-admin; priority:1;)
You have not specified what protocol you have in mind. If it is
supposed to be MIME then your likely problem is an incorrect use
of the positive look-ahead in your PCRE. Just drop it as in:
Keep in mind that this expression still has both false positive
and negative weaknesses and should be further tuned.
More information about the Snort-sigs