Project

General

Profile

Actions

Support #2980

closed

How to set rules on Mail & Print traffic

Added by Maxime Brienne over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:
Beginner

Description

Hello every one,

As part of getting a standard I have to restrict the leakage of bank data.
For that I decided to use Surricata, however with the help of the rules Snort I am not able to capture mail frames holding sensitive information, either in the body of the text or as an attachment.
In addition I would like to know if it is possible to capture the files that are printed knowing that my printers are in another network and therefore passes through my probe.

Thank's for the help of the community, I am available for more information

Actions #1

Updated by Andreas Herz over 5 years ago

Well the biggest challenge is to write rules to detect this traffic.
As long as you see the complete traffic you can start writing signatures to match the traffic you want to detect.

Actions #2

Updated by Maxime Brienne over 5 years ago

Andreas Herz wrote:

Well the biggest challenge is to write rules to detect this traffic.
As long as you see the complete traffic you can start writing signatures to match the traffic you want to detect.

Yes but i don't find the signature with a Wireshark, so i don't know if it's possible to capture the print info.

Actions #3

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to Support

If you don't see it in a traffic you need to find some other sources for the expected traffic. It's essential to have enough details to later match on specific traffic.

Actions #4

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF