<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>This will largely depend on how you have your $HOME_NET and $EXTERNAL_NET configured in your snort.conf file. From the rule perspective, this will depend on:<BR> <BR> - Direction of your rule $HOME_NET -> $EXTERNAL_NET or $EXTERNAL_NET -> $HOME_NET<BR> - Since the below rule seems to be alerting on TCP, then you have to check the flow direction in the rule if there is any.<BR> - Whether the content match in the rule will satisfy the content pattern regardless of direction.<BR> <BR>YM<br> <BR><div><hr id="stopSpelling">Date: Wed, 29 Jan 2014 16:57:51 +0400<br>From: malinkinsa@...11827...<br>To: snort-sigs@lists.sourceforge.net<br>Subject: [Snort-sigs] sid: 2012647 How to understand user upload file to the       server, or download<br><br><div dir="ltr"><div><span id="ecxresult_box" lang="en"><span>Hello!<br></span></span><br><span id="ecxresult_box" lang="en"><span><span id="ecxresult_box" lang="en"><span><span id="ecxresult_box" lang="en"><span>I just recently</span> <span>started using</span> <span>snort.<br>
</span></span></span></span></span></span><br><span id="ecxresult_box" lang="en"><span><span id="ecxresult_box" lang="en"><span><span id="ecxresult_box" lang="en"><span><span id="ecxresult_box" lang="en"><span>I have a question</span> <span>about</span> <span>one rule, </span></span></span></span></span></span></span></span><span id="ecxresult_box" lang="en"><span>set out in the</span> <span>the message subject:)<br>
<br></span></span><br><span id="ecxresult_box" lang="en"><span>Testing a</span> <span>rule, if</span> <span>I upload</span> <span>a file</span> <span>through the client</span> <span>to the server</span> <span>or the client</span> <span>takes</span> <span>dropboksa</span> <span>file from a server</span> <span>on my</span> <span>computer</span> <span>I get</span> <span>the following</span> <span>message:<br>
<br></span></span>[**] [<span><span><span>1</span>:<span>2012647</span></span>:<span>3</span></span>] <span>ET</span> <span>POLICY</span> <span><span>Dropbox</span>.<span>com</span></span> <span>Offsite</span> <span>File</span> <span>Backup</span> <span>in</span> <span>Use</span> [**]
[<span><span>Classification</span>:</span> <span>Potential</span> <span>Corporate</span> <span>Privacy</span> <span>Violation</span>] [<span><span>Priority</span>:</span> <span>1</span>] 
<span><span><span><span><span><span>01</span>/<span>29</span></span>-<span>22</span></span>:<span>52</span></span>:<span>30</span></span>.<span>221035</span></span> <span><span><span><span><span>XXX</span>.XXX<span></span></span>.XXX<span></span></span>.XXX<span></span></span>:<span>28152</span></span> <span>-</span>> <span><span><span><span><span>108</span>.<span>160</span></span>.<span>162</span></span>.<span>33</span></span>:<span>80</span></span>
<span>TCP</span> <span><span>TTL</span>:<span>41</span></span> <span><span>TOS</span>:<span>0x0</span></span> <span><span>ID</span>:<span>2084</span></span> <span><span>IpLen</span>:<span>20</span></span> <span><span>DgmLen</span>:<span>293</span></span> <span>DF</span>
***<span>A</span>**** <span><span>Seq</span>:</span> <span>0xD0A65C80</span>  <span><span>Ack</span>:</span> <span>0x9A9A3FE7</span>  <span><span>Win</span>:</span> <span>0x3CB8</span>  <span><span>TcpLen</span>:</span> <span>20</span><br>
<br><span id="ecxresult_box" lang="en"><span>But I want to</span> <span>somehow</span> <span>distinguish</span> <span>a download</span> <span>or</span> <span>upload</span> <span>information</span></span>.<br>
<span id="ecxresult_box" lang="en"><span>Maybe</span> <span>somebody</span> <span>did</span> <span>something similar</span></span>.<br><br><br></div><div>Thank you!<br></div></div>
<br>------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk<br>_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!</div>                                           </div></body>
</html>