[Oisf-users] Data loss prevention using suricata
Victor Julien
lists at inliniac.net
Tue Jul 9 16:35:50 UTC 2013
On 07/09/2013 06:28 PM, Chintagunta, Murali Mohan Chakravarthy
(HPUX-Network Security) wrote:
> Have a question on application of suricata for DLP (data loss prevention).
>
> As l now understand that, suricata has visibility to layer 7 using its HTP library. It can also do file extraction and identification.
>
> The question is, if it is possiable to write rules to prevent my files in different locations like SAN or SMB or local disks getting transferred out of my network.
Currently you can write rules to identify files over HTTP. Where they
are in your local network is irrelevant, as long as Suricata can see the
HTTP traffic that is used to exfiltrate them.
> To be specific, can I prevent bad guys stealing my files from my environment by writing specific suricata rules.
If you keep in mind the limitations, yes. Limitations include:
- HTTP only, so it can be defeated using other protocols
- Pkt loss can cause problems, especially if you rely on MD5 checksums
- you'll have to be inline if you want to reliably prevent transfers
> Can any one give a example of the rule.
Check:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list