I need to block Drop Box

MilesDeep · Mar 26, 2014, 1:13 PM

Hello All,

I've been on this one for awhile but can't seem to block Drop Box use. I've added the following rule to snort_policy.rules.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Dropbox.com Offsite File Backup in Use"; flow:established,to_server;
content:"/subscribe?host_int="; http_uri; content:"&ns_map="; http_uri;
content:"&ts="; http_uri; content:".dropbox.com|0d 0a|";
classtype:policy-violation; reference:url,www.dropbox.com;
reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/;
sid:2012647; rev:2;)

I've tried to change "alert" to "block" at the beginning, not even sure that is the proper convention.

I've seen rules like the following on different posts in these forums:

#ET Dropbox rule
block gen_id 1, sig_id 18608

Can anyone please tell me how to block access to Drop Box?

marcelloc · Mar 27, 2014, 8:45 PM

squid3-dev can block dropbox with ssl interception. an firewall host alias can also do the job if you know all dropbox nets.

MilesDeep · Mar 28, 2014, 12:13 PM

Thanks for the reply. Not running Squid, yet. Have written a rule blocking all the Dropbox subnet. Works fine. However, I'm obsessed with better learning Snort and getting it do what needs to be done. I know Dropbox is included with the ET rules but I had a lot of false/positive results when ET were enabled.

MilesDeep · Mar 28, 2014, 2:38 PM

Successsss!! Well, maybe.

Simply enabled ET (Ruleset: ET Open Rules) and enabled emerging-policy.rules, which Dropbox is included.

Began seeing Alerts on Dropbox usage! Good news. See below:

03/28/14
10:30:47 1 TCP Potential Corporate Privacy Violation 108.214.218.190
46123 108.160.163.115
80 1:2012647
ET POLICY Dropbox.com Offsite File Backup in Use

Then, began to see entries in the BLOCKED tab. Great news! See below:

108.160.163.103 ET POLICY Dropbox.com Offsite File Backup in Use - 03/28/14-10:36:21

BUT, I can still go to Dropbox and upload a file to dropbox or download a file from it. Why? So close!

bmeeks · Mar 28, 2014, 3:04 PM

@MilesDeep:

Successsss!! Well, maybe.

Simply enabled ET (Ruleset: ET Open Rules) and enabled emerging-policy.rules, which Dropbox is included.

Began seeing Alerts on Dropbox usage! Good news. See below:

03/28/14
10:30:47 1 TCP Potential Corporate Privacy Violation 108.214.218.190
46123 108.160.163.115
80 1:2012647
ET POLICY Dropbox.com Offsite File Backup in Use

Then, began to see entries in the BLOCKED tab. Great news! See below:

108.160.163.103 ET POLICY Dropbox.com Offsite File Backup in Use - 03/28/14-10:36:21

BUT, I can still go to Dropbox and upload a file to dropbox or download a file from it. Why? So close!

That would most likely be a problem with incomplete rules in the ET-POLICY collection. You could try either some Google searching or check the Emerging Threats community forums to see if anyone has some suggestions. As you see, Snort can catch things it is programmed to recognize. I'm guessing there are still some Dropbox signatures missing from the ET-POLICY collection. I don't mean to imply you are doing anything wrong. Instead, it could be the rule creators themselves have missed some stuff; or perhaps they are in some of the other categories ??

Oh, one other thought did just occur to me. Look at the ET-POLICY rules on the RULES tab and be sure all the Dropbox related rules are enabled (not grayed-out). It's possible some of them may be default disabled in the ET-POLICY category. The rule set creators will frequently not enable all the rules in a given category by default. Some they leave to network admins to decided for themselves which to enable (and maybe which to disable if they are default enabled).

Bill

MilesDeep · Mar 28, 2014, 7:01 PM

Bill,

All Dropbox policies are enabled. The issue is with the fact Dropbox has so many IPs. Many are listed as Blocked in Snort. Is there any way to block a subnet in Snort, or should I just do it on the firewall?

bmeeks · Mar 29, 2014, 4:04 AM

@MilesDeep:

Bill,

All Dropbox policies are enabled. The issue is with the fact Dropbox has so many IPs. Many are listed as Blocked in Snort. Is there any way to block a subnet in Snort, or should I just do it on the firewall?

Not yet, but it is coming with the next update. The next release of the Snort package will support the IP Reputation preprocessor. This preprocessor uses blacklists to quickly block IPs or entire networks matching an entry in a blacklist file. It is very efficient as it uses a simple IP match without going through all the other rule analytics.

You can read up on the IP Reputation preprocessor here: http://manual.snort.org/node17.html#SECTION003219000000000000000

Bill

marcelloc · Mar 30, 2014, 3:52 AM

That will be a great addition to the package.

Is there any public ip reputation network that whe can use?

bmeeks · Mar 30, 2014, 5:14 PM

@marcelloc:

That will be a great addition to the package.

Is there any public ip reputation network that whe can use?

I was told the Emerging Threats guys are working on one, but I'm not sure if it will be free or pay. Maybe they will do something similar to what they do for the rules: offer a comprehensive and daily updated list for paying customers, and a slightly dated and maybe not quite as comprehensive list for free.

The Snort IP Reputation preprocessor is pretty simple, though. All it needs is a text file with one IP address or CIDR network per line, so that should lend itself to use with many of the other types of lists out there.

Bill