Snort mailing list archives
Re: Sensitive Data Preprocessor: logging single matches
From: Erik Johnson <ejohnson () vailsys com>
Date: Tue, 1 Mar 2011 12:38:47 -0600
On Tue, Mar 01, 2011 at 12:41:16PM -0500, Victor Roemer wrote:
Hey Erik, So far I'm not able to reproduce the issues you are seeing, Here's my rule alert tcp any any -> any any (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service imap, service pop3; sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) Pcap with 1 (albeit fake) CC number in an http get request is attached, when I run this through snort I generate the following alert 03/01-12:24:46.382944 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} 10.1.2.3:48620 -> 0.0.0.80:8 03/01-12:24:46.382944 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x58 10.1.2.3:48620 -> 0.0.0.80:8 TCP TTL:64 TOS:0x0 ID:4 IpLen:20 DgmLen:74 ***AP*** Seq: 0x2 Ack: 0x2 Win: 0x100 TcpLen: 20 47 45 54 20 2F 74 65 73 74 2E 70 68 70 3F 73 64 GET /test.php?sd 66 3D 35 31 30 34 36 32 37 35 30 34 39 32 58 58 f=510462750492XX 58 58 XX =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Something to keep in mind when running your tests is that the CC numbers are validated against the luhn algorithm and per the README covers Visa, Mastercard, Discover, and American Express. Also when logging in tcpdump binary ( -b ) I received all the data. This is all using 2.9.0.4. Perhaps you could provide more information about your configuration and test data. Thanks!
Here is my rule: alert tcp any any <> any any ( \ sd_pattern: 1,credit_card; classtype:sdf; metadata:service smtp; \ msg: "Credit Card number detected in plaintext"; \ gid: 138; sid: 8000001; rev: 2; ) Here are the two emails I sent via telnet. The first did not generate an alert, the second did. I'm running 2.9.0.3. ejohnson@gallifrey:~$ telnet XXXXXXXXX 25 Trying XXX.XXX.XXX.XXX... Connected to XXXXXXXXX. Escape character is '^]'. 220 ******************** helo XXXXXXXXXXX 250 XXXXXXXXXXXXXX mail from: XXXXXXXXXXXXXXXXXXXX 250 2.1.0 Ok rcpt to: XXXXXXXXXXXXXXXXXXXX 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> From: XXXXXXXXXXXXXXXXXXXX To: XXXXXXXXXXXXXXXXXXXX Subject: foo test 4660105464387620 . 250 2.0.0 Ok: queued as E875F1C8072 mail from: XXXXXXXXXXXXXXXXXXXX 250 2.1.0 Ok rcpt to: XXXXXXXXXXXXXXXXXXXX 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> From: XXXXXXXXXXXXXXXXXXXX To: XXXXXXXXXXXXXXXXXXXX Subject: foo2 test 4660105464387620 4660105464387620 . 250 2.0.0 Ok: queued as 606A51C80A4 -- Erik Johnson System Administrator Vail Systems e: ejohnson () vailsys com p: 866-254-7699 http://www.vailsys.com
Attachment:
_bin
Description:
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensitive Data Preprocessor: logging single matches Erik Johnson (Feb 25)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 09)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)