#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:55 UTC


#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2;)

Added 2011-10-12 19:28:17 UTC


#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009798; sid:2009798; rev:2;)

Added 2011-09-14 22:41:34 UTC


#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009798; rev:2;)

Added 2011-02-04 17:29:11 UTC


alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009798; rev:2;)

Added 2009-08-31 16:38:43 UTC

Carbonite (like Mozy) is an online backup service: they upload files differentially and incrementally (as they are updated or made) to a server and those files can then be retrieved.

this sig works by looking for an https connection to the Carbonite servers at 38.97.75.0/24 .

Carbonite becomes a policy issue when the end users take backup issues into their own hands. In that case the corporate network has no way of knowing what is being stored on the carbonite servers or what content is being "retrieved" from the servers.

-- JackPepper - 01 Dec 2009


alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009798; rev:2;)

Added 2009-08-31 16:38:43 UTC


alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; sid:2009798; rev:1;)

Added 2009-08-27 23:35:38 UTC


Topic revision: r2 - 2009-12-01 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats