[Oisf-users] Data loss prevention using suricata

Rich Rumble richrumble at gmail.com
Tue Jul 9 17:44:02 UTC 2013

On Tue, Jul 9, 2013 at 12:35 PM, Victor Julien <lists at inliniac.net> wrote:

> Currently you can write rules to identify files over HTTP. Where they
> are in your local network is irrelevant, as long as Suricata can see the
> HTTP traffic that is used to exfiltrate them.
> > To be specific, can I prevent bad guys stealing my files from my
> environment by writing specific suricata rules.
> If you keep in mind the limitations, yes. Limitations include:
> - HTTP only, so it can be defeated using other protocols
> - Pkt loss can cause problems, especially if you rely on MD5 checksums
> - you'll have to be inline if you want to reliably prevent transfers
> > Can any one give a example of the rule.
> Check:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
> http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/
And from a security and experience perspective, DLP only "catches stupid",
meaning anyone determined to not be caught won't be. AAA (authentication,
authorization and auditing) is often better at preventing/catching someone
than DLP is. With DLP you're going to find people no doing what they are
supposed to do more than you catch some "insider" or hacker transferring
files. DropBox and Google Drive etc, all use HTTPS and no DLP can help you
there, it's easy to also encrypt a file/folder in a password protected file
and then transfer. No company I've helped roll DLP out to has used it for
more than 2 years (because dlp helped them "clean up their act"), but some
signatures in the DLP spectrum can be useful. Sig's to look for CC#'s or
SSN#'s are a good idea, or sig's specific to important data you work with.
DLP is a pet-peve of mine :) I didn't mean to hijack the discussion, I've
used Fidelis, Symantec(Vontu previously), RSA and OpenDLP, I cannot
recommend any of them, YMMV. You can build several good rules for detecting
"stupid" however:
are FP's can and will happen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130709/cc4a1af7/attachment-0002.html>

More information about the Oisf-users mailing list