Snort mailing list archives
Re: query about preprocessor design
From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 9 Jul 2009 22:48:31 -0400
Bah, why go for hrdatabase.xls when you could go for 20090715ACH.xls and 20092HPROMOTIONS.xls? On Thu, Jul 9, 2009 at 6:25 PM, Jason Haar<Jason.Haar () trimble co nz> wrote:
Hi there I was looking over README.dcerpc2 to see all the work that's gone into the CIFS/SMB/DCE protocols. The preprocessor allows snort to "see" things like connecting to shares - and you can even set up preprocessor-based alerts based on connection attempts against a list of "watchable" share names. All fine and good. However, my question is why is this done as a preprocessor option instead of a rule option? i.e. why is it "smb_invalid_shares" instead of rule option "dce_sharename"? It appears to be that preprocessors should limit their alerts to protocol inconsistencies - not standard functionality. I mean, isn't snort generally inconsistent at the moment? We have "uricontent" as a rule option - even though it's specific to HTTP, so there is precedence. I'd love to see options like "dce_sharename", "dce_filename" - as they have immediate value in the DLP (Data Loss Prevention) arena - somewhere I suspect Sourcefire is interested in? If I allow myself to get all overexcited, I'd even go as far as saying there should be a generic "filename" rule option - and that all the preprocessors you enable will add towards that definition. eg. enabling SMTP, FTP, HTTP and DCE preprocessors will enable snort to track a filename movement as email attachments, FTP/HTTP "PUT/POST" and Samba/CIFS transfers. e.g. I'd love to track "hrdatabase.xls" (I'm kidding!!!) around the network. Time for my meds ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- query about preprocessor design Jason Haar (Jul 09)
- Re: query about preprocessor design Jason Brvenik (Jul 09)
- Re: query about preprocessor design Jason Haar (Jul 09)
- Re: query about preprocessor design Jason Brvenik (Jul 09)