Solved: dropbox?

lukeprimm · ‎07-22-2011

Im running IDM 7.0 and was wondering if there is a way to alert on our internal clients using the dropbox.exe application? If so, what signature? Or, any other ideas? Thanks

lp

rupadras · ‎08-11-2011

yes, Sorry, I should've updated this post already. I have two signatures for dropbox client that should be released soon. Here are the details.

Signature 1:

This one fires when the client is in use.

engine: service-http

uri-regex: [\x2f\x5c]subscribe

arg-name-regex: host[_]int

request-regex: ns[_]map

header-regex: dropbox[.](com|net)

ports: #WEBPORTS

Signature 2:

This one fires when the client syncs over LAN (LAN Sync Discovery Protocol)

engine: multistring

protocol: UDP

port-selection: both-ports

source-port: 17500

dest-port: 17500

regex strings:

\x22host[_]int\x22\x3a

\x22version\x22\x3a

\x22displayname\x22\x3a

\x22namespaces\x22\x3a

I'd set the Summary-Mode Under Alert-Frequency to "Fire Once" for signature 2, or it will fire too often.

The signatures will be part of an upcoming sigupdate. I will also look into icloud later on.

Please let me know if you have any questions.

thanks,

Radhika

View solution in original post

rupadras · ‎07-24-2011

Hi Luke,

I will look into writing signatures to detect this. I will update this thread in a few days.

thanks,

Radhika

lukeprimm · ‎07-25-2011

Thanks that would be gret. Im surprised that there is not already something in place since cloud services like these are a major security hole. We are also looking into icloud and how it might open up new holes. THanks again for your help on this.

lukeprimm · ‎08-11-2011

Any progress on this? I appreciate it.

rupadras · ‎08-11-2011

yes, Sorry, I should've updated this post already. I have two signatures for dropbox client that should be released soon. Here are the details.

Signature 1:

This one fires when the client is in use.

engine: service-http

uri-regex: [\x2f\x5c]subscribe

arg-name-regex: host[_]int

request-regex: ns[_]map

header-regex: dropbox[.](com|net)

ports: #WEBPORTS

Signature 2:

This one fires when the client syncs over LAN (LAN Sync Discovery Protocol)

engine: multistring

protocol: UDP

port-selection: both-ports

source-port: 17500

dest-port: 17500

regex strings:

\x22host[_]int\x22\x3a

\x22version\x22\x3a

\x22displayname\x22\x3a

\x22namespaces\x22\x3a

I'd set the Summary-Mode Under Alert-Frequency to "Fire Once" for signature 2, or it will fire too often.

The signatures will be part of an upcoming sigupdate. I will also look into icloud later on.

Please let me know if you have any questions.

thanks,

Radhika

lukeprimm · ‎08-11-2011

Thats exactly what I was looking for, thanks!!

rrfield · ‎10-20-2011

the dropbox signature works great.

Any idea when this and signatures for other cloud storage services will be made available in an update?

lukeprimm · ‎10-20-2011

How did you implement it? Im a bit of a novice with IPS. Thanks

rrfield · ‎10-20-2011

Created a custom signature...if you are using IME, go to...

Configuration > ipsname > Policies > Signature Definitions > sigX > All Signatures

In the upper right area of the IME screen there is a button called Signature Wizard, which will lead you through the steps to create a custom signature. The signature IDs beging with 60000.

Use the values provided by rupadras.

One note, I did not create the second dropbox signature...I did not see an option for the engine "multistring"...and the "String UDP" did not allow more than one regex. I guess I could create a subsignature for each regex provided?