using snort to track file movement?

[Jason Haar <Jason_Haar () trimble com>]

Hi there

I'm wondering if I could (mis)use snort to track the movement of files
around the internal network (assuming WAN monitor ports in place). ie
log "src.ip -> cifs://dst.ip/share/dir/file" kind of thing. Filename and
checksum would make sense - keeping content would make no sense. This
could be a poor-mans DLP solution, or good for forensically detecting
worms (ie once you have the worm checksum, you can check the logs to see
if it's been on the network). Also I can't get the greylist/blacklist
option to work - I assume that I'm using the wrong checksum. I tested it
using eicar.com
(131F95C51CC819465FA1797F6CCACF9D494AAAFF46FA3EAC73AE63FFBDFD8267) -
never triggered?

I'm playing around with snort-2.9.8's "file" options, but they don't
seem to do what I want. I've managed to make it record files to disk,
but the "filelog" option doesn't work at all ("captured-filenames" never
contains anything, even though the capture_disk directory grows with
files). What I want is the opposite. But what's equally important is the
context in which the file is detected: simple src/dst ip is not good
enough. A server - whether it be FTP/CIFS/HTTP - could have literally
millions of files on it - so you really need to know where on that
server it was detected - not just that it exists. I don't think snort
keeps track of that kind of detail?

I'm hoping I'm wrong? :-)

Thanks

include /etc/snort/file_magic.conf
preprocessor normalize_tcp: ips ecn stream
preprocessor file_inspect: type_id, signature, capture_disk
/var/log/snort/files/ 300, capture_queue_size 5000, greylist
/etc/snort/file-graylist.txt
dynamicoutput file
/usr/lib64/snort-2.9.8.0_dynamicpreprocessor/libsf_file_preproc.so
output filelog:captured-filenames

 

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Attachment: Jason_Haar.vcf
Description:

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!