[Snort-sigs] getting sensitive-data cc# alert to fire
jason at ...3880...
Sat Feb 1 09:45:15 EST 2014
I'm trying to get the sensitive-data CC# alert to fire but I'm having
trouble making it happen.
Here's what I'm trying and what I've got:
preprocessor sensitive_data: alert_threshold 3
This is the rule that came with pulledpork but I can't get it to fire:
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service
smtp, service ftp-data, service imap, service pop3;
sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
I made this my only rule in snort and I modified it trying to make it easier
to fire and alert but still no luck:
alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card
Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
I then send a mail or use netcat and send clear text CC#'s but still can't
get it to fire.
I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the
payload (of course).
I ran snort with DAQ dump to pcap and that sees the CC#'s too!
/usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive
Could it be something with my Stream5 config?
Is my testing method whack?
I'm missing something simple I think...
Thanks for any advice
# sorry if this becomes a duplicate - I get all the mail so I thought I was
a member already but I got bounce saying I wasn't... so I signed up again
and I'm reposting this and cancelled the original.
This email is free from viruses and malware because avast! Antivirus protection is active.
More information about the Snort-sigs