| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...
From: Joel Esler <jesler_at_nospam>Date: Thu Aug 05 2010 - 15:54:18 GMT
To: "Isherwood, Jeffrey - IS" <Jeffrey.Isherwood@itt.com>
What false positives were you catching? Maybe we can help you whittle those down.
Joel
On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:
> Trying to fine tune some rules and remove false positives… I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; )
>
> It was catching false positives and so I’m trying this one, but something seems to be lacking…
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )
>
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users