[Snort-sigs] getting sensitive-data cc# alert to fire

jason jason at ...3880...
Sat Feb 1 09:45:15 EST 2014

I'm trying to get the sensitive-data CC# alert to fire but I'm having
trouble making it happen.

Here's what I'm trying and what I've got:
preprocessor sensitive_data: alert_threshold 3

This is the rule that came with pulledpork but I can't get it to fire:
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service
smtp, service ftp-data, service imap, service pop3;
sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I made this my only rule in snort and I modified it trying to make it easier
to fire and alert but still no luck:
alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card
Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I then send a mail or use netcat and send clear text CC#'s but still can't
get it to fire.

I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the
payload (of course).

I ran snort with DAQ dump to pcap and that sees the CC#'s too!
/usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive
--daq-var file=/tmp/snort_pcap_dump.cap

Could it be something with my Stream5 config?
Is my testing method whack?
I'm missing something simple I think...

Thanks for any advice

# sorry if this becomes a duplicate - I get all the mail so I thought I was
a member already but I got bounce saying I wasn't... so I signed up again
and I'm reposting this and cancelled the original.

This email is free from viruses and malware because avast! Antivirus protection is active.

More information about the Snort-sigs mailing list