[Snort-sigs] Sql Bakups Snort Rule

nnposter nnposter at ...592...
Wed Jul 20 20:32:52 EDT 2005


Joseph Pierini <Joseph.Pierini at ...3117...> wrote:
> Can someone point me in the right direction? I'm looking for information on
> how to write a snort rule that would look for DB files being transferred
> from a server with file extensions of MDF, LDK BAK or TRN. 
> 
> I've started with something like this, but it's not working: 
> 
> alert tcp any any -> any any (content:"/"; nocase;
> pcre:"/filename\s*=\s*.*?\.(?=ldf|mdf|trn|bak)[\x27\x22\n\r\s]/iR";
> msg:"Possible transfer of DB Backup file!";
> classtype:successful-admin; priority:1;)

You have not specified what protocol you have in mind. If it is 
supposed to be MIME then your likely problem is an incorrect use 
of the positive look-ahead in your PCRE. Just drop it as in:

pcre:"/filename\s*=\s*.*?\.(ldf|mdf|trn|bak)[\x27\x22\n\r\s]/iR";

Keep in mind that this expression still has both false positive 
and negative weaknesses and should be further tuned.

<snip>


Cheers,
nnposter




More information about the Snort-sigs mailing list