[Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download

Сергей Малинкин malinkinsa at ...2420...
Wed Jan 29 07:57:51 EST 2014


I just recently started using snort.

I have a question about one rule, set out in the the message subject:)

Testing a rule, if I upload a file through the client to the server or the
client takes dropboksa file from a server on my computer I get the following

[**] [1:2012647:3] ET POLICY Dropbox.com Offsite File Backup in Use [**] [
Classification: Potential Corporate Privacy Violation] [Priority: 1] 01/29-
22:52:30.221035 XXX.XXX.XXX.XXX:28152 -> TCP TTL:41 TOS:
0x0 ID:2084 IpLen:20 DgmLen:293 DF ***A**** Seq: 0xD0A65C80 Ack: 0x9A9A3FE7
Win: 0x3CB8 TcpLen: 20

But I want to somehow distinguish a download or upload information.
Maybe somebody did something similar.

Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140129/f76b98a7/attachment.html>

More information about the Snort-sigs mailing list