Re: Sensitive Data Preprocessor: logging single matches

[Erik Johnson <ejohnson () vailsys com>]

On Tue, Mar 01, 2011 at 12:41:16PM -0500, Victor Roemer wrote:
> Hey Erik,
>
>
> So far I'm not able to reproduce the issues you are seeing,
>
> Here's my rule
>
> alert tcp any any -> any any (msg:"SENSITIVE-DATA Credit Card Numbers";
> metadata:service http, service smtp, service imap, service pop3;
> sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
>
>
> Pcap with 1 (albeit fake) CC number in an http get request is attached, when
> I run this through snort I generate the following alert
>
> 03/01-12:24:46.382944  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
> [**] [Classification: Sensitive Data was Transmitted Across the Network]
> [Priority: 2] {TCP} 10.1.2.3:48620 -> 0.0.0.80:8
> 03/01-12:24:46.382944 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800
> len:0x58
> 10.1.2.3:48620 -> 0.0.0.80:8 TCP TTL:64 TOS:0x0 ID:4 IpLen:20 DgmLen:74
> ***AP*** Seq: 0x2  Ack: 0x2  Win: 0x100  TcpLen: 20
> 47 45 54 20 2F 74 65 73 74 2E 70 68 70 3F 73 64  GET /test.php?sd
> 66 3D 35 31 30 34 36 32 37 35 30 34 39 32 58 58  f=510462750492XX
> 58 58                                            XX
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> Something to keep in mind when running your tests is that the CC numbers are
> validated against the luhn algorithm and per the README covers Visa,
> Mastercard, Discover, and
> American Express.
>
>
> Also when logging in tcpdump binary ( -b ) I received all the data.
>
> This is all using 2.9.0.4.
>
>
> Perhaps you could provide more information about your configuration and test
> data.
>
>
> Thanks!

Here is my rule:

alert tcp any any <> any any ( \
sd_pattern: 1,credit_card; classtype:sdf; metadata:service smtp; \
msg: "Credit Card number detected in plaintext"; \
gid: 138; sid: 8000001; rev: 2; )

Here are the two emails I sent via telnet. The first did not generate an
alert, the second did. I'm running 2.9.0.3.


ejohnson@gallifrey:~$ telnet XXXXXXXXX 25
Trying XXX.XXX.XXX.XXX...
Connected to XXXXXXXXX.
Escape character is '^]'.
220 ********************
helo XXXXXXXXXXX
250 XXXXXXXXXXXXXX
mail from: XXXXXXXXXXXXXXXXXXXX
250 2.1.0 Ok
rcpt to: XXXXXXXXXXXXXXXXXXXX
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
From: XXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXXX
Subject: foo

test

4660105464387620
.
250 2.0.0 Ok: queued as E875F1C8072
mail from: XXXXXXXXXXXXXXXXXXXX
250 2.1.0 Ok
rcpt to: XXXXXXXXXXXXXXXXXXXX
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
From: XXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXXX
Subject: foo2

test

4660105464387620
4660105464387620
.
250 2.0.0 Ok: queued as 606A51C80A4


--

Erik Johnson
System Administrator
Vail Systems
e: ejohnson () vailsys com
p: 866-254-7699

http://www.vailsys.com

Attachment: _bin
Description:

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users