[Snort-users] MP3's are evil... Searching for traffic basedupon uploaded file type...

Castle, Shane scastle at ...14946...
Thu Aug 5 12:08:03 EDT 2010


There are a couple of emerging threat rules that directly detect mp3
file transfers, one for inbound and one for outbound.

--
Shane Castle
Data Security Mgr, Boulder County IT
GSEC GCIH
303-441-3953


-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Thursday, August 05, 2010 09:54
To: Isherwood, Jeffrey - IS
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] MP3's are evil... Searching for traffic
basedupon uploaded file type...

What false positives were you catching?  Maybe we can help you whittle
those down.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:


	Trying to fine tune some rules and remove false positives...  I
was originally using the rule below to try and detect possible policy
violations of anyone uploading MP3s from the internal network to the
internet:
	 
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy:
Forbidden File Transfer from Internal to External";
flow:established,to_server; content:".mp3"; nocase; priority:3;
classtype:misc-activity; sid:1000005; gid:1; rev:4; )
	 
	It was catching false positives and so I'm trying this one, but
something seems to be lacking...
	 
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy:
Forbidden File Transfer from Internal to External";
flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3;
classtype:misc-activity; sid:1000005; gid:1; rev:7; )
	
	






More information about the Snort-users mailing list