[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] sid: 2012647 How to understand user upload file to the server, or download
From: <malinkinsa () gmail ! com>
Date: 2014-01-29 12:57:51
Message-ID: CAAEQdvXBQ4mqafAd=UTG+MNaFKQBooZC16ee7Lscwy4=eYzrOg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello!
I just recently started using snort.
I have a question about one rule, set out in the the message subject:)
Testing a rule, if I upload a file through the client to the server or the
client takes dropboksa file from a server on my computer I get the following
message:
[**] [1:2012647:3] ET POLICY Dropbox.com Offsite File Backup in Use [**] [
Classification: Potential Corporate Privacy Violation] [Priority: 1] 01/29-
22:52:30.221035 XXX.XXX.XXX.XXX:28152 -> 108.160.162.33:80 TCP TTL:41 TOS:
0x0 ID:2084 IpLen:20 DgmLen:293 DF ***A**** Seq: 0xD0A65C80 Ack: 0x9A9A3FE7
Win: 0x3CB8 TcpLen: 20
But I want to somehow distinguish a download or upload information.
Maybe somebody did something similar.
Thank you!
[Attachment #5 (text/html)]
<div dir="ltr"><div><span id="result_box" class="" lang="en"><span \
class="">Hello!<br></span></span><br><span id="result_box" class="" lang="en"><span \
class=""><span id="result_box" class="" lang="en"><span class=""><span \
id="result_box" class="" lang="en"><span class="">I just recently</span> <span \
class="">started using</span> <span class="">snort.<br> \
</span></span></span></span></span></span><br><span id="result_box" class="" \
lang="en"><span class=""><span id="result_box" class="" lang="en"><span \
class=""><span id="result_box" class="" lang="en"><span class=""><span \
id="result_box" class="" lang="en"><span class="">I have a question</span> <span \
class="">about</span> <span class="">one rule, \
</span></span></span></span></span></span></span></span><span id="result_box" \
class="" lang="en"><span class="">set out in the</span> <span class="">the message \
subject:)<br> <br></span></span><br><span id="result_box" class="" lang="en"><span \
class="">Testing a</span> <span class="">rule, if</span> <span class="">I \
upload</span> <span class="">a file</span> <span class="">through the client</span> \
<span class="">to the server</span> <span class="">or the client</span> <span \
class="">takes</span> <span class="">dropboksa</span> <span class="">file from a \
server</span> <span class="">on my</span> <span class="">computer</span> <span \
class="">I get</span> <span class="">the following</span> <span class="">message:<br> \
<br></span></span>[**] [<span class=""><span class=""><span class="">1</span>:<span \
class="">2012647</span></span>:<span class="">3</span></span>] <span \
class="">ET</span> <span class="">POLICY</span> <span class=""><span \
class="">Dropbox</span>.<span class="">com</span></span> <span \
class="">Offsite</span> <span class="">File</span> <span class="">Backup</span> <span \
class="">in</span> <span class="">Use</span> [**] [<span class=""><span \
class="">Classification</span>:</span> <span class="">Potential</span> <span \
class="">Corporate</span> <span class="">Privacy</span> <span \
class="">Violation</span>] [<span class=""><span class="">Priority</span>:</span> \
<span class="">1</span>] <span class=""><span class=""><span class=""><span \
class=""><span class=""><span class="">01</span>/<span \
class="">29</span></span>-<span class="">22</span></span>:<span \
class="">52</span></span>:<span class="">30</span></span>.<span \
class="">221035</span></span> <span class=""><span class=""><span class=""><span \
class=""><span class="">XXX</span>.XXX<span class=""></span></span>.XXX<span \
class=""></span></span>.XXX<span class=""></span></span>:<span \
class="">28152</span></span> <span class="">-</span>> <span class=""><span \
class=""><span class=""><span class=""><span class="">108</span>.<span \
class="">160</span></span>.<span class="">162</span></span>.<span \
class="">33</span></span>:<span class="">80</span></span> <span class="">TCP</span> \
<span class=""><span class="">TTL</span>:<span class="">41</span></span> <span \
class=""><span class="">TOS</span>:<span class="">0x0</span></span> <span \
class=""><span class="">ID</span>:<span class="">2084</span></span> <span \
class=""><span class="">IpLen</span>:<span class="">20</span></span> <span \
class=""><span class="">DgmLen</span>:<span class="">293</span></span> <span \
class="">DF</span>
***<span class="">A</span>**** <span class=""><span class="">Seq</span>:</span> <span \
class="">0xD0A65C80</span> <span class=""><span class="">Ack</span>:</span> <span \
class="">0x9A9A3FE7</span> <span class=""><span class="">Win</span>:</span> <span \
class="">0x3CB8</span> <span class=""><span class="">TcpLen</span>:</span> <span \
class="">20</span><br> <br><span id="result_box" class="" lang="en"><span \
class="">But I want to</span> <span class="">somehow</span> <span \
class="">distinguish</span> <span class="">a download</span> <span class="">or</span> \
<span class="">upload</span> <span class="">information</span></span>.<br> <span \
id="result_box" class="" lang="en"><span class="">Maybe</span> <span \
class="">somebody</span> <span class="">did</span> <span class="">something \
similar</span></span>.<br><br><br></div><div>Thank you!<br></div></div>
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic