Snort mailing list archives

Re: getting sensitive-data cc# alert to fire

From: "jason" <jason () mangdub com>
Date: Sat, 1 Feb 2014 09:45:15 -0500

HI!
I'm trying to get the sensitive-data CC# alert to fire but I'm having
trouble making it happen.

Here's what I'm trying and what I've got:
Snort.conf:
preprocessor sensitive_data: alert_threshold 3

This is the rule that came with pulledpork but I can't get it to fire:
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service
smtp, service ftp-data, service imap, service pop3;
sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I made this my only rule in snort and I modified it trying to make it easier
to fire and alert but still no luck:
alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card
Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I then send a mail or use netcat and send clear text CC#'s but still can't
get it to fire.

I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the
payload (of course).

I ran snort with DAQ dump to pcap and that sees the CC#'s too!
/usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive
--daq-var file=/tmp/snort_pcap_dump.cap

Could it be something with my Stream5 config?
Is my testing method whack?
I'm missing something simple I think...

Thanks for any advice

# sorry if this becomes a duplicate - I get all the mail so I thought I was
a member already but I got bounce saying I wasn't... so I signed up again
and I'm reposting this and cancelled the original.




---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: getting sensitive-data cc# alert to fire jason (Feb 01)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
  - Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
    - Re: getting sensitive-data cc# alert to fire jason (Feb 03)
    - Re: getting sensitive-data cc# alert to fire Joel Esler (jesler) (Feb 03)
    - Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
    - Re: getting sensitive-data cc# alert to fire rmkml (Feb 03)
    - Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
    - Re: getting sensitive-data cc# alert to fire jason (Feb 03)
    - Re: getting sensitive-data cc# alert to fire Y M (Feb 04)
    - Re: getting sensitive-data cc# alert to fire jason (Feb 11)