[Snort-users] [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download

Y M snort at ...15979...
Tue Feb 4 04:19:00 EST 2014


This will largely depend on how you have your $HOME_NET and $EXTERNAL_NET configured in your snort.conf file. From the rule perspective, this will depend on:
 
 - Direction of your rule $HOME_NET -> $EXTERNAL_NET or $EXTERNAL_NET -> $HOME_NET
 - Since the below rule seems to be alerting on TCP, then you have to check the flow direction in the rule if there is any.
 - Whether the content match in the rule will satisfy the content pattern regardless of direction.
 
YM
 
Date: Wed, 29 Jan 2014 16:57:51 +0400
From: malinkinsa at ...11827...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] sid: 2012647 How to understand user upload file to the	server, or download

Hello!

I just recently started using snort.


I have a question about one rule, set out in the the message subject:)



Testing a rule, if I upload a file through the client to the server or the client takes dropboksa file from a server on my computer I get the following message:


[**] [1:2012647:3] ET POLICY Dropbox.com Offsite File Backup in Use [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] 
01/29-22:52:30.221035 XXX.XXX.XXX.XXX:28152 -> 108.160.162.33:80
TCP TTL:41 TOS:0x0 ID:2084 IpLen:20 DgmLen:293 DF
***A**** Seq: 0xD0A65C80  Ack: 0x9A9A3FE7  Win: 0x3CB8  TcpLen: 20


But I want to somehow distinguish a download or upload information.

Maybe somebody did something similar.


Thank you!


------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140204/d947b5a7/attachment.html>


More information about the Snort-users mailing list