Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with sensitive-data:email addresses rule

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 30 Mar 2013 17:09:16 -0500
On 3/30/2013 10:24, Gregory Pendergast wrote:

I've just set up my security-onion system to include the VRT
Registered User rule. I'm getting a bunch of hits on 138:5
Sensitive-data email addresses, but the direction is wrong.

The rule says $HOME_NET ->  $EXTERNAL_NET but the alerts I'm getting
are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
$HOME_NET.


that '->' isn't necessarily the "direction of flow" indicator... there is also 
"to_server", "from_server", "to_client" and "from_client" modifiers... those are 
where the real direction is determined and that based on the location of 
$HOME_NET and $EXTERNAL_NET along with whether '->', '<-', or '<>' is used...

i'm unsure how you are determining the direction for that "rule" since it is a 
preprocessor "rule" which is generally written in source code rather than rule 
code... AIUI at least...

you might find this link helpful... it doesn't note any particular direction of 
traffic flow, though... only that apparent email addresses have been seen in 
traffic and that it might be a policy violation...

   http://www.snort.org/search/sid/138-5


Since I just added the VRT rules, this could be happening for other
things and I just haven't found it yet.

In snort.conf, my EXTERNAL_NET = !$HOME_NET and the SecurityOnion
sensors are running Snort 2.9.3.1.

Any ideas as to what could be wrong? I didn't encounter this problem
when using only the ETPRO rules.


the only other thing i can think of would be the location of your sensor and 
what it is sniffing...

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: