[Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

Isherwood, Jeffrey - IS Jeffrey.Isherwood at ...14632...
Thu Aug 5 13:09:26 EDT 2010


Well, the false positives I was getting originally were from the "content" part of the rule being too loose.   If anybody did something where .mp3 was listed in the session it triggered, rather just when someone uploaded one...

I thought at first to try and limit my search to HTTP POSTs but thought about it some more and since there is certainly more than one way to upload a file, I figured that I should not limit it to HTTP POST... that's when I decided to try the PCRE version instead... however I can't seem to make the alert go off now.  I could set off the Rev:4 version below by simply chatting with you or using an unencrypted email outbound with .mp3 in it.  Even going to a website that had .mp3 on the page seemed to trigger the Rev:4 (content) version.

Now that I'm trying the Rev:7 (PCRE) version below I can't seem to trigger it to make sure it works.  I went to an unencrypted website that allows me to upload files, and tried to load one via its java front end and the alert did not fire... so I think I'm missing something...

Shane suggested I look at the ET rules for an MP3 alert they have, I'll go take a poke at them...



From: Joel Esler [mailto:jesler at ...1935...]
Sent: Thursday, August 05, 2010 12:21 PM
To: Isherwood, Jeffrey - IS
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

As an aside, you can try, instead of removing your content, put it in addition to your PCRE.

Place your pcre after your content and it's modifiers, and see if that makes a difference.

Joel

On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:


Trying to fine tune some rules and remove false positives...  I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )

It was catching false positives and so I'm trying this one, but something seems to be lacking...

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )


________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100805/6f8bc2d1/attachment.html>


More information about the Snort-users mailing list