[Snort-sigs] Help on getting rules to trigger alerts

Nigel Houghton nigel at ...435...
Wed Feb 4 07:04:15 EST 2004


You need a content match in there.

Around 7:45am keith Loyd said:

kL :Can anyone tell me why the following rules do not trigger an alert on
kL :the web page I pull from my snort box off another web server using
kL :curl?  I'm using snort 2.1.0 and PCRE 4.3.  I
kL :
kL :
kL :
kL :Rule file that I am using to try and detect the information below.
kL :************************************************
kL :alert tcp any any -> any any (msg:"Social Security Number Clear
kL :Test";flow:stateless; pcre:"m!^(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)
kL :alert tcp any any -> any any (msg:"SSN";flow:stateless;
kL :pcre:"m!^\d{3}[-/]?\d{2}[-/]?\d{4}\Z!";)
kL :alert tcp any any -> any any (msg:"DL #";flow:stateless;
kL :pcre:"m!^\d{8}\Z!";)
kL :alert tcp any any -> any any (msg:"social #";flow:stateless;
kL :pcre:"m!^\d{9}\Z!";)
kL :#alert tcp any any -> any any (msg:"credit card";flow:stateless;
kL :pcre:"m![3456]\d{15}\Z!;)
kL :*************************************************
kL :
kL :
kL :Content of the webpage
kL :*******************************************************
kL :What a file, all of my personal information is included.
kL :My social security number is 234-45-9999
kL :My social security number is 234459999
kL :My drivers license number is 11165900
kL :My debit card number is 4488 5800 5454 2323
kL :I should not let anyone see this information.
kL :snort.test.file.for.glba.project
kL :********************************************************
kL :
kL :
kL :Thanks,
kL :Keith Loyd, CISSP
kL :
kL :
kL :[ PGP Signature check FAILED - Wed Feb  4 09:59:22 EST 2004 ]
kL :

-----------------------------------------------------------------------
Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."




More information about the Snort-sigs mailing list