Re: Snort 2.8.4 RC1 Released

[Jason Haar <Jason.Haar () trimble co nz>]

Todd Wease wrote:
> Just in case anyone is wondering, the README.dcerpc2 did not make it
> into the RC1 distribution.  In case anyone is interested, see attached.
>   
That's really great to see all the extra work going into the CIFS world,
but it still appears to be to be oriented around catching protocol
exploits. Are you looking to generalize it - like snort does with HTTP?
(e.g "uricontent")

i.e. I'd love to be able to have rules like

alert any any -> $SENSITIVE_SERVERS $cifs_ports (msg:"DLP trigger:
sensitive NetBIOS file access"; cifsfilename:"*.ppt"; content:"top
secret"....)
alert any any -> any $cifs_ports (msg:"DLP trigger: sensitive NetBIOS
dir access"; cifsdirname:"private"; content:"top secret"....)
alert any any -> $SENSITIVE_SERVERS $cifs_ports (msg:"DLP trigger:
unauthorized backup of >500 sensitive files";
cifsfilename:"*";threshold:type threshold, track by_src, count 500,
seconds 600; )

Just some ideas (I know you're sniffing around the DLP market ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users