[Snort-sigs] Help on getting rules to trigger alerts

keith Loyd keith at ...2201...
Wed Feb 4 05:45:04 EST 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can anyone tell me why the following rules do not trigger an alert on
the web page I pull from my snort box off another web server using
curl?  I'm using snort 2.1.0 and PCRE 4.3.  I



Rule file that I am using to try and detect the information below.
************************************************
alert tcp any any -> any any (msg:"Social Security Number Clear
Test";flow:stateless; pcre:"m!^(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)
alert tcp any any -> any any (msg:"SSN";flow:stateless;
pcre:"m!^\d{3}[-/]?\d{2}[-/]?\d{4}\Z!";)
alert tcp any any -> any any (msg:"DL #";flow:stateless;
pcre:"m!^\d{8}\Z!";)
alert tcp any any -> any any (msg:"social #";flow:stateless;
pcre:"m!^\d{9}\Z!";)
#alert tcp any any -> any any (msg:"credit card";flow:stateless;
pcre:"m![3456]\d{15}\Z!;)
*************************************************


Content of the webpage
*******************************************************
What a file, all of my personal information is included.
My social security number is 234-45-9999
My social security number is 234459999
My drivers license number is 11165900
My debit card number is 4488 5800 5454 2323
I should not let anyone see this information.
snort.test.file.for.glba.project
********************************************************


Thanks,
Keith Loyd, CISSP


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCD3Xx0WKqFqu6VAEQJzEQCg1/qWcViHPmyBYK9TqzaFfu22ZOwAnRUw
bkN7+yMKHMuvitEL3XSStDW6
=O9sm
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list