[Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

Joel Esler jesler at ...1935...
Thu Aug 5 11:54:18 EDT 2010


What false positives were you catching?  Maybe we can help you whittle those down.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:

> Trying to fine tune some rules and remove false positives…  I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet:
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )
>  
> It was catching false positives and so I’m trying this one, but something seems to be lacking…
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100805/5b8b7988/attachment.html>


More information about the Snort-users mailing list