[Snort-users] using snort to track file movement?
Jason_Haar at ...15306...
Mon Feb 15 18:20:42 EST 2016
I'm wondering if I could (mis)use snort to track the movement of files
around the internal network (assuming WAN monitor ports in place). ie
log "src.ip -> cifs://dst.ip/share/dir/file" kind of thing. Filename and
checksum would make sense - keeping content would make no sense. This
could be a poor-mans DLP solution, or good for forensically detecting
worms (ie once you have the worm checksum, you can check the logs to see
if it's been on the network). Also I can't get the greylist/blacklist
option to work - I assume that I'm using the wrong checksum. I tested it
I'm playing around with snort-2.9.8's "file" options, but they don't
seem to do what I want. I've managed to make it record files to disk,
but the "filelog" option doesn't work at all ("captured-filenames" never
contains anything, even though the capture_disk directory grows with
files). What I want is the opposite. But what's equally important is the
context in which the file is detected: simple src/dst ip is not good
enough. A server - whether it be FTP/CIFS/HTTP - could have literally
millions of files on it - so you really need to know where on that
server it was detected - not just that it exists. I don't think snort
keeps track of that kind of detail?
I'm hoping I'm wrong? :-)
preprocessor normalize_tcp: ips ecn stream
preprocessor file_inspect: type_id, signature, capture_disk
/var/log/snort/files/ 300, capture_queue_size 5000, greylist
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4 bytes
Desc: not available
More information about the Snort-users