Snort mailing list archives
Re: Sensitive Data Preprocessor: logging single matches
From: Victor Roemer <vroemer () sourcefire com>
Date: Tue, 1 Mar 2011 17:45:47 -0500
Ah, I missed that, sorry. Anyways, per my testing everything seems hunky-dory which leads me to believe that the issues you are currently experiencing are extraneous to the sensitive data preprocessor. Its probably worthwhile that you validate your Stream and SMTP configurations are kosher (possible depth/data length settings, etc...) But as a show of good faith I've attached my latest pcap which has given me good results. $ ./bin/snort -c etc/snort.conf -Acmg -knone -r smtp-victor.pcap 2> /dev/null 03/01-16:54:17.353651 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} 10.1.2.3:48620 -> 10.9.8.7:25 Stream reassembled packet 03/01-16:54:17.353651 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0xB6 10.1.2.3:48620 -> 10.9.8.7:25 TCP TTL:64 TOS:0x0 ID:22 IpLen:20 DgmLen:168 ***AP*** Seq: 0x57 Ack: 0x65 Win: 0x100 TcpLen: 20 46 72 6F 6D 3A 20 66 72 61 6B 40 65 78 61 6D 70 From: frak@examp 6C 65 2E 63 6F 6D 0D 0A 54 6F 3A 20 6B 61 72 66 le.com..To: karf 40 65 78 61 6D 70 6C 65 2E 63 6F 6D 0D 0A 43 6F @example.com..Co 6E 74 65 6E 74 2D 74 79 70 65 3A 20 74 65 78 74 ntent-type: text 2F 68 74 6D 6C 0D 0A 53 75 62 6A 65 63 74 3A 20 /html..Subject: 43 72 65 64 69 74 20 43 61 72 64 20 4E 75 6D 62 Credit Card Numb 65 72 73 20 59 6F 21 0D 0A 0D 0A 58 58 58 58 58 ers Yo!....XXXXX 58 58 58 58 58 58 58 37 36 32 30 0D 0A 2E 0D 0A XXXXXXX7620..... Otherwise, I'm almost out of ideas :sadface: so perhaps there are more inclined people on the list who might have some ideas. On Tue, Mar 1, 2011 at 3:31 PM, Erik Johnson <ejohnson () vailsys com> wrote:
On Tue, Mar 01, 2011 at 03:17:10PM -0500, Victor Roemer wrote:Try adding some mail headers in the stream heres what I did [vroemer@interpol simple]$ telnet mail.example.com 25 Trying 192.168.1.2 ... Connected to mail.example.com. Escape character is '^]'. 220 example.com ESMTP Postfix helo mail.example.com.com 250 example.com mail from: blah () blah com 250 Ok rcpt to: frak () frakken com 250 Ok data 354 End data with <CR><LF>.<CR><LF> From: blah () blah com To: frak () frakken com Content-type: text/html Subject: Credit Card Numbers 4660105464387620 . 250 Ok: queued as E4A486CC12C ^] telnet> Connection closed.The example I sent in my previous message already did have mail headers. I tried again, this time adding "Content-type: text/plain", but it still takes two credit card numbers to generate an alert. -- Erik Johnson System Administrator Vail Systems e: ejohnson () vailsys com p: 866-254-7699 http://www.vailsys.com
Attachment:
smtp-victor.pcap
Description:
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensitive Data Preprocessor: logging single matches Erik Johnson (Feb 25)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 09)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)