We can now reassemble interesting files being transmitted on your network (both inbound and outbound) on ports 25,80,110 and port 143. These are the ports through which most Malware is propagated with Browser-Based Attacks, Phishing, or Email Spam.
Real Time File transmission Logging
By default, all dangerous file transmissions (exe, dll, MS Office, pdf, zip, etc.) are logged and correlated whether or not they are malicious. This allows you to see what content your users are downloading or uploading (these informational messages can be disabled if this is too much information for you). See the screenshot below where several file transfers are logged.
Real Time File Scanning
Importantly, the files that contain malicious code as reported by Virus Total are ranked 100 and flagged as high-priority events for your analysis. Usually, any of these events need to be taken very seriously and appropriate remediation should be taken quickly. See the screenshot below where Snort events and File-inbound events are correlated to show you an ongoing infection.
In order to access this great new feature:
- Go to your Sensor Configuration page
- Enable the File Monitoring plugin by clicking on the check box labeled “File Monitoring” toward the bottom of the page
- Enter an optional Virus Total Key (if you do not have one, we highly recommend registering with Virus Total and obtaining a free key at https://www.virustotal.com/)
- Save the sensor configuration
- Execute /nsm/etc/mss.sh restart on your sensor