Snort mailing list archives
query about preprocessor design
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 10 Jul 2009 10:25:41 +1200
Hi there I was looking over README.dcerpc2 to see all the work that's gone into the CIFS/SMB/DCE protocols. The preprocessor allows snort to "see" things like connecting to shares - and you can even set up preprocessor-based alerts based on connection attempts against a list of "watchable" share names. All fine and good. However, my question is why is this done as a preprocessor option instead of a rule option? i.e. why is it "smb_invalid_shares" instead of rule option "dce_sharename"? It appears to be that preprocessors should limit their alerts to protocol inconsistencies - not standard functionality. I mean, isn't snort generally inconsistent at the moment? We have "uricontent" as a rule option - even though it's specific to HTTP, so there is precedence. I'd love to see options like "dce_sharename", "dce_filename" - as they have immediate value in the DLP (Data Loss Prevention) arena - somewhere I suspect Sourcefire is interested in? If I allow myself to get all overexcited, I'd even go as far as saying there should be a generic "filename" rule option - and that all the preprocessors you enable will add towards that definition. eg. enabling SMTP, FTP, HTTP and DCE preprocessors will enable snort to track a filename movement as email attachments, FTP/HTTP "PUT/POST" and Samba/CIFS transfers. e.g. I'd love to track "hrdatabase.xls" (I'm kidding!!!) around the network. Time for my meds ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- query about preprocessor design Jason Haar (Jul 09)
- Re: query about preprocessor design Jason Brvenik (Jul 09)
- Re: query about preprocessor design Jason Haar (Jul 09)
- Re: query about preprocessor design Jason Brvenik (Jul 09)