[Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

Joel Esler jesler at ...1935...
Thu Aug 5 12:20:30 EDT 2010


As an aside, you can try, instead of removing your content, put it in addition to your PCRE.

Place your pcre after your content and it's modifiers, and see if that makes a difference.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:

> Trying to fine tune some rules and remove false positives…  I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet:
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )
>  
> It was catching false positives and so I’m trying this one, but something seems to be lacking…
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100805/09ebb763/attachment.html>


More information about the Snort-users mailing list