Snort mailing list archives
Re: MP3's are evil... Searching for traffic based upon uploaded file type...
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 5 Aug 2010 11:54:18 -0400
What false positives were you catching? Maybe we can help you whittle those down. Joel On Aug 5, 2010, at 11:16 AM, Isherwood, Jeffrey - IS wrote:
Trying to fine tune some rules and remove false positives… I was originally using the rule below to try and detect possible policy violations of anyone uploading MP3s from the internal network to the internet: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; content:".mp3"; nocase; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:4; ) It was catching false positives and so I’m trying this one, but something seems to be lacking… alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Policy: Forbidden File Transfer from Internal to External"; flow:established,to_server; pcre:"/\w+\.mp3($|\W|\")/i"; priority:3; classtype:misc-activity; sid:1000005; gid:1; rev:7; )
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rule efficiency, (continued)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Korodev (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Joel Esler (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency Alex Tatistcheff (Sep 07)