[Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

Isherwood, Jeffrey - IS Jeffrey.Isherwood at ...14632...
Thu Aug 5 11:16:43 EDT 2010


Trying to fine tune some rules and remove false positives...  I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )

It was catching false positives and so I'm trying this one, but something seems to be lacking...

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )


________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100805/df2a6a22/attachment.html>


More information about the Snort-users mailing list