Snort mailing list archives
Re: getting sensitive-data cc# alert to fire
From: "jason" <jason () mangdub com>
Date: Tue, 11 Feb 2014 15:56:45 -0500
Sorry I didn't update, been busy with other stuff.. config disable_decode_alerts was uncommented in my snort.conf so I commented it and now I see decode alerts where previously I did not. I thought for sure this was going to help me but I STILL can't get snort to fire an alert when I transmit CC#'s. I played with the syslog settings and when I have all my rules enabled (including the 4 sensitive-data rules that come by default) I am seeing alerts like this: sensitive_data: sensitive data global threshold exceeded [139:1:1] (spp_sdf) SDF Combination Alert [Classification: Senstive Data] [Priority: 2] {PROTO:254} xx.xx.xx.xx -> xx.xx.xx.xx But I can't find any packets or payloads captured. I'm thinking the SDF Combination Alert is when 2 or more different sensitive-data alerts (like CC#'s and social security numbers for example) are tripped and is informational only? This alert doesn't get picked up by Barnyard but the global threshold exceeded alerts do - they also don't have captured payloads. Here's what I capture with tcpdump and reassembling but I never see Snort capture any of this: 220 BN1BFFO11FD022.xxxxxxxxx.com Microsoft ESMTP MAIL Service ready at Thu, 6 Feb 2014 16:39:35 +0000 EHLO outgoing.xxxxxxxxxx.net 250-BN1BFFO11FD022.mail.xxxxxx.xxxxxx.com Hello [xx.xx.xx.xx] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH 250-8BITMIME 250-BINARYMIME 250 CHUNKING MAIL FROM:<me () foo com> SIZE=1336 RCPT TO:<me () foo com> ORCPT=rfc822;me () foo com DATA 250 2.1.0 Sender OK 250 2.1.5 Recipient OK 354 Start mail input; end with <CRLF>.<CRLF> Received: from blade1-0?xxxxxxx.net (unknown [10.0.2.87]) .by outgoing.xxxxxxxxxx.net (Postfix) with SMTP id DD33849924BC .for <me () foo com>; Thu, 6 Feb 2014 16:39:15 +0000 (GMT) Message-Id: <20140206163921.DD33849924BC@ outgoing.xxxxxxxxxx.net> Date: Thu, 6 Feb 2014 16:39:15 +0000 (GMT) From: me () foo com To: undisclosed-recipients:; 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 4111111111111111 4111-1111-1111-1111 4660105464387620 QUIT 250 2.6.0 <20140206163921.DD33849924BC () outgoing xxxxxxx net> [InternalId=8452495646426, Hostname=BN1PR05MB264.namprd05.xxxxxxxxx.com] Queued mail for delivery 221 2.0.0 Service closing transmission channel I've also tried sending email addresses via mail and using netcat. I even tried sending a fake CC# in the email header like: helo 4111111111111111 I grabbed a new box and I installed Centos6.4 and snort 2.9.6 and I only changed the alert_syslog and commented out config disable_decode_alerts in snort.conf I also made sure that threshold.conf is empty and not loading pulledpork disablesid.conf. I changed the CC# rule to: alert tcp any any <> any any (msg:"SENSITIVE-DATA Credit Card Numbers"; sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) and I changed the Email address rule to: alert tcp any any <> any any (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:1,email; classtype:sdf; sid:5; gid:138; rev:1;) this is a totally fresh install and the interface sees very little traffic but I still can't get an alert out of it! I can only get that vague alert about the threshold being exceeded but I don't even think my testing is tripping that. This is killing me because I know this should be working and shouldn't be this much trouble to test/confirm. Any other ideas are welcome thanks From: Y M [mailto:snort () outlook com] Sent: Tuesday, February 04, 2014 4:05 AM To: jason () mangdub com Cc: snort-sigs Subject: RE: [Snort-sigs] getting sensitive-data cc# alert to fire Hi Jason, Does your snort.conf has this line disabled (commented)? config disable_decode_alerts
From the documentation ( <http://manual.snort.org/node18.html>
http://manual.snort.org/node18.html): "if config disable_decode_alerts is in snort.conf, decoder events will not be generated regardless of whether or not there are corresponding rules for the event." Thanks YM
From: <mailto:jason () mangdub com> jason () mangdub com To: <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
Date: Mon, 3 Feb 2014 20:40:49 -0500 Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire Thanks for that - I was using 2> /dev/null from the troubleshooting steps
in
that 2011 thread I found: <http://seclists.org/snort/2011/q1/983>
http://seclists.org/snort/2011/q1/983
in that thread he uses 2> and gets the alert and the output? They did add LOG_ERR to the syslog config to fix their issue which I tried as well: output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR When I run this again using 1> I get all the snort config output but still no alerts. My 1 rule (to rule them all): alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf; msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001; rev:2;) Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules Sensitive Data preprocessor config: Global Alert Threshold: 3 Masked Output: DISABLED I'm now wondering if the stream is not being reassembled properly and therefore doesn't trip the luhn algorithm. I'm going to play with Stream5 depth/length settings next but any other insights are of course welcome as I try to get this working. Again thanks all for the replies, it's really appreciated :) I will update if I make any headway Jason -----Original Message----- From: waldo kitty [ <mailto:wkitty42 () windstream net>
mailto:wkitty42 () windstream net]
Sent: Monday, February 03, 2014 7:17 PM To: rmkml; <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire On 2/3/2014 5:06 PM, rmkml wrote:Sorry for disturb,no problem, rm... you are welcome to jump in any time, my friend ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted.
----------------------------------------------------------------------------
-- Managing the Performance of Cloud-Based Applications Take advantage of
what
the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper.
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr k> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list <mailto:Snort-sigs () lists sourceforge net>
Snort-sigs () lists sourceforge net
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<http://www.snort.org> http://www.snort.org Please visit <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort!
--- This email is free from viruses and malware because avast! Antivirus
protection is active.
<http://www.avast.com> http://www.avast.com
---------------------------------------------------------------------------- --
Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper.
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr k> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list <mailto:Snort-sigs () lists sourceforge net>
Snort-sigs () lists sourceforge net
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<http://www.snort.org> http://www.snort.org Please visit <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort! --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: getting sensitive-data cc# alert to fire jason (Feb 01)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Joel Esler (jesler) (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire rmkml (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Y M (Feb 04)
- Re: getting sensitive-data cc# alert to fire jason (Feb 11)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)