Re: Sensitive Data Preprocessor: logging single matches

[Victor Roemer <vroemer () sourcefire com>]

Ah, I missed that, sorry.

Anyways, per my testing everything seems hunky-dory which leads me to
believe that the issues you are currently experiencing are extraneous to the
sensitive data preprocessor.

Its probably worthwhile that you validate your Stream and SMTP
configurations are kosher (possible depth/data length settings, etc...)


But as a show of good faith I've attached my latest pcap which has given me
good results.

$ ./bin/snort -c etc/snort.conf -Acmg -knone -r smtp-victor.pcap 2>
/dev/null

03/01-16:54:17.353651  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} 10.1.2.3:48620 -> 10.9.8.7:25
Stream reassembled packet
03/01-16:54:17.353651 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800
len:0xB6
10.1.2.3:48620 -> 10.9.8.7:25 TCP TTL:64 TOS:0x0 ID:22 IpLen:20 DgmLen:168
***AP*** Seq: 0x57  Ack: 0x65  Win: 0x100  TcpLen: 20
46 72 6F 6D 3A 20 66 72 61 6B 40 65 78 61 6D 70  From: frak@examp
6C 65 2E 63 6F 6D 0D 0A 54 6F 3A 20 6B 61 72 66  le.com..To: karf
40 65 78 61 6D 70 6C 65 2E 63 6F 6D 0D 0A 43 6F  @example.com..Co
6E 74 65 6E 74 2D 74 79 70 65 3A 20 74 65 78 74  ntent-type: text
2F 68 74 6D 6C 0D 0A 53 75 62 6A 65 63 74 3A 20  /html..Subject:
43 72 65 64 69 74 20 43 61 72 64 20 4E 75 6D 62  Credit Card Numb
65 72 73 20 59 6F 21 0D 0A 0D 0A 58 58 58 58 58  ers Yo!....XXXXX
58 58 58 58 58 58 58 37 36 32 30 0D 0A 2E 0D 0A  XXXXXXX7620.....

Otherwise, I'm almost out of ideas :sadface: so perhaps there are more
inclined people on the list who might have some ideas.


On Tue, Mar 1, 2011 at 3:31 PM, Erik Johnson <ejohnson () vailsys com> wrote:

> On Tue, Mar 01, 2011 at 03:17:10PM -0500, Victor Roemer wrote:
>
> > Try adding some mail headers in the stream
> >
> > heres what I did
> >
> > [vroemer@interpol simple]$ telnet mail.example.com 25
> > Trying 192.168.1.2 ...
> > Connected to mail.example.com.
> > Escape character is '^]'.
> > 220 example.com ESMTP Postfix
> > helo mail.example.com.com
> > 250 example.com
> > mail from: blah () blah com
> > 250 Ok
> > rcpt to: frak () frakken com
> > 250 Ok
> > data
> > 354 End data with <CR><LF>.<CR><LF>
> > From: blah () blah com
> > To: frak () frakken com
> > Content-type: text/html
> > Subject: Credit Card Numbers
> >
> > 4660105464387620
> > .
> > 250 Ok: queued as E4A486CC12C
> > ^]
> >
> > telnet> Connection closed.
> The example I sent in my previous message already did have mail headers.
> I tried again, this time adding "Content-type: text/plain", but it still
> takes two credit card numbers to generate an alert.
>
>
> --
>
> Erik Johnson
> System Administrator
> Vail Systems
> e: ejohnson () vailsys com
> p: 866-254-7699
>
> http://www.vailsys.com

Attachment: smtp-victor.pcap
Description:

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users