[Snort-sigs] getting sensitive-data cc# alert to fire

James Lay jlay at ...3266...
Mon Feb 3 08:00:32 EST 2014


On Mon, 2014-02-03 at 07:30 -0500, jason wrote:

> I found this old thread about getting the alerts to fire with a single hit
> (I can't get it to alert at all):
> http://seclists.org/snort/2011/q1/983
> 
> I ran my pcap dump (contains CC#'s in the payload) through snort and still
> no hits:
> $ /usr/local/bin/snort -c /etc/snort/snort.conf -Acmg -knone -r
> /tmp/snort_pcap_dump.cap 2> /dev/null
> 
> I then tried running it using the generic snort.conf and still no alert:
> /usr/local/bin/snort -c ./snort-2.9.5.3/etc/snort.conf -Acmg -knone -r
> /tmp/snort_pcap_dump.cap 2> /dev/null
> 
> Here is a packet in the dump file that was captured with the fake CC#'s:
> 
> 0000  00 12 da bd 7a d8 00 23  e9 3e 95 47 81 00 0f fe   ....z..# .>.G....
> 0010  08 00 45 00 00 e2 b6 35  40 00 3f 06 b6 4a cc 5d   ..E....5 @.?..J.]
> 0020  80 87 40 b3 40 fe ef 2e  00 15 53 7a fd 48 e6 99   .. at ...180...@... ..Sz.H..
> 0030  73 60 80 18 00 1d 4c fc  00 00 01 01 08 0a 5b da   s`....L. ......[.
> 0040  8c 6f 1c 74 2a af 36 30  31 31 31 31 31 31 31 31   .o.t*.60 11111111
> 0050  31 31 31 31 31 37 0a 36  30 31 31 30 30 30 39 39   111117.6 01100099
> 0060  30 31 33 39 34 32 34 0a  34 31 31 31 2d 31 31 31   0139424. 4111-111
> 0070  31 2d 31 31 31 31 2d 31  31 31 31 0a 33 37 38 32   1-1111-1 111.3782
> 0080  38 32 32 34 36 33 31 30  30 30 35 0a 34 31 31 31   82246310 005.4111
> 0090  31 31 31 31 31 31 31 31  31 31 31 31 0a 34 31 31   11111111 1111.411
> 00a0  31 31 31 31 31 31 31 31  31 31 31 31 31 0a 34 31   11111111 11111.41
> 00b0  31 31 2d 31 31 31 31 2d  31 31 31 31 2d 31 31 31   11-1111- 1111-111
> 00c0  31 0a 36 30 31 31 31 31  31 31 31 31 31 31 31 31   1.601111 11111111
> 00d0  31 37 0a 36 30 31 31 30  30 30 39 39 30 31 33 39   17.60110 00990139
> 00e0  34 32 34 0a 33 37 38 32  38 32 32 34 36 33 31 30   424.3782 82246310
> 00f0  30 30 35 0a                                        005.     
> 
> In this view the CC#'s are a little scrambled but when I follow the TCP
> stream in wireshark, they are clearly shown.
> 
> I am totally at a loss why I can't get this working... anyone have any
> advice or something else I might be able to look at?
> 
> Thanks for any help
> 
> -----Original Message-----
> From: jason [mailto:jason at ...3880...] 
> Sent: Saturday, February 01, 2014 9:45 AM
> To: 'Snort-sigs'
> Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
> 
> HI!
> I'm trying to get the sensitive-data CC# alert to fire but I'm having
> trouble making it happen.
> 
> Here's what I'm trying and what I've got:
> Snort.conf:
> preprocessor sensitive_data: alert_threshold 3
> 
> This is the rule that came with pulledpork but I can't get it to fire:
> alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
> (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service
> smtp, service ftp-data, service imap, service pop3;
> sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
> 
> I made this my only rule in snort and I modified it trying to make it easier
> to fire and alert but still no luck:
> alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card
> Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
> 
> I then send a mail or use netcat and send clear text CC#'s but still can't
> get it to fire.
> 
> I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the
> payload (of course).
> 
> I ran snort with DAQ dump to pcap and that sees the CC#'s too!
> /usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive
> --daq-var file=/tmp/snort_pcap_dump.cap
> 
> Could it be something with my Stream5 config?
> Is my testing method whack?
> I'm missing something simple I think...
> 
> Thanks for any advice
> 
> # sorry if this becomes a duplicate - I get all the mail so I thought I was
> a member already but I got bounce saying I wasn't... so I signed up again
> and I'm reposting this and cancelled the original.
> 
> 
> 
> 
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
> 
> 
> ----------------------------------------------------------------------------
> --
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import a
> virtual appliance and go from zero to informed in seconds.
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> ---
> This email is free from viruses and malware because avast! Antivirus protection is active.
> http://www.avast.com
> 
> 
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!


Try adding -k none to your command line.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140203/7432913d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140203/7432913d/attachment.sig>


More information about the Snort-sigs mailing list