[Snort-users] Snort 2.8.4 RC1 Released

Jason Haar Jason.Haar at ...294...
Wed Feb 11 16:20:05 EST 2009


Todd Wease wrote:
> Just in case anyone is wondering, the README.dcerpc2 did not make it
> into the RC1 distribution.  In case anyone is interested, see attached.
>   
That's really great to see all the extra work going into the CIFS world,
but it still appears to be to be oriented around catching protocol
exploits. Are you looking to generalize it - like snort does with HTTP?
(e.g "uricontent")

i.e. I'd love to be able to have rules like

alert any any -> $SENSITIVE_SERVERS $cifs_ports (msg:"DLP trigger:
sensitive NetBIOS file access"; cifsfilename:"*.ppt"; content:"top
secret"....)
alert any any -> any $cifs_ports (msg:"DLP trigger: sensitive NetBIOS
dir access"; cifsdirname:"private"; content:"top secret"....)
alert any any -> $SENSITIVE_SERVERS $cifs_ports (msg:"DLP trigger:
unauthorized backup of >500 sensitive files";
cifsfilename:"*";threshold:type threshold, track by_src, count 500,
seconds 600; )

Just some ideas (I know you're sniffing around the DLP market ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list