Dennis Miller
asked on
return to google question.
But this would only disable that feature temporarily. If someone enabled it, then Prism wouldn't catch it until the next check? By that time, the damage would be done--any files indexed AFTER the option is checked get copied to Google. This is in response to my last question on being able to disable the new google and I was given a reg hack that I believe would work. The security guy here says this is only a temerary fix. I am not sure why since this is a registry setting and would not be temperary. Can some one explain ? My original question was how can I disable this so people with admin rights to their local box could not download or instal this.
ASKER
https://www.experts-exchange.com/questions/21744429/new-google.html this is from the original question.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
what is a snort rule and how would I create this. I am of course no guru, so could you give me the steps? Thanks. I did try looking it up but only became more confused.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Google Desktop User-Agent Detected"; flow: to_server,established;
content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; nocase; classtype: policy-violation; sid: 3000001; rev:1; )
Here is a rule already written to detect Google Dekstop. Writing Snort rules is a complicated topic by itself but I will break down the parts in the rule above to explain what it does
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 --> detects a TCP connection from any machine in the $HOME_NET to any machine in the $EXTERNAL_NET on port 80
msg: "BLEEDING-EDGE Google Desktop User-Agent Detected" --> this is the message that it will log when this rule is fired
flow: to_server,established; --> the direction of the traffic is to the server and the connection was already established
content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)" --> it searches the traffic to match that pattern
nocase; --> this should mean that it's not case sensitive but I'm not 100% certain
classtype: policy-violation --> It is a policy violation
sid: 3000001 --> the id of the rule is 3000001, this can be any other number but it has to be unique for each rule
rev:1 --> this stores information about which revision of the rule you are using (you can revise the rule down the road).
If you don't have snort setup you can read the documentation on their website for instructions. If you do have it setup place the rule in the rule files that snort is configured to load, or place it in a new file and configure snort to load tha t file.
Regards,
Cosmin Stejerean
content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; nocase; classtype: policy-violation; sid: 3000001; rev:1; )
Here is a rule already written to detect Google Dekstop. Writing Snort rules is a complicated topic by itself but I will break down the parts in the rule above to explain what it does
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 --> detects a TCP connection from any machine in the $HOME_NET to any machine in the $EXTERNAL_NET on port 80
msg: "BLEEDING-EDGE Google Desktop User-Agent Detected" --> this is the message that it will log when this rule is fired
flow: to_server,established; --> the direction of the traffic is to the server and the connection was already established
content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)" --> it searches the traffic to match that pattern
nocase; --> this should mean that it's not case sensitive but I'm not 100% certain
classtype: policy-violation --> It is a policy violation
sid: 3000001 --> the id of the rule is 3000001, this can be any other number but it has to be unique for each rule
rev:1 --> this stores information about which revision of the rule you are using (you can revise the rule down the road).
If you don't have snort setup you can read the documentation on their website for instructions. If you do have it setup place the rule in the rule files that snort is configured to load, or place it in a new file and configure snort to load tha t file.
Regards,
Cosmin Stejerean
Regards,
Cosmin Stejerean