[Snort-sigs] getting sensitive-data cc# alert to fire

jason jason at ...3880...
Mon Feb 3 08:37:00 EST 2014


Thanks for replying James



>> Try adding -k none to your command line.



I was using –knone so I changed that but still no hits…



/usr/local/bin/snort -c /etc/snort/snort.conf -Acmg -k none -r /tmp/snort_pcap_dump.cap 2> /dev/null

/usr/local/bin/snort -c ./snort-2.9.5.3/etc/snort.conf -Acmg -k none -r /tmp/snort_pcap_dump.cap 2> /dev/null



This seems to work for everyone right out of the box so I am really at a loss why I can’t get it alerting…

I’m using 2.9.5.3 but will try a fresh install of 2.9.6 and try again.



Again much thanks!

Kind regards,

Jason





From: James Lay [mailto:jlay at ...3266...]
Sent: Monday, February 03, 2014 8:01 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire



On Mon, 2014-02-03 at 07:30 -0500, jason wrote:


I found this old thread about getting the alerts to fire with a single hit
(I can't get it to alert at all):
http://seclists.org/snort/2011/q1/983

I ran my pcap dump (contains CC#'s in the payload) through snort and still
no hits:
$ /usr/local/bin/snort -c /etc/snort/snort.conf -Acmg -knone -r
/tmp/snort_pcap_dump.cap 2> /dev/null

I then tried running it using the generic snort.conf and still no alert:
/usr/local/bin/snort -c ./snort-2.9.5.3/etc/snort.conf -Acmg -knone -r
/tmp/snort_pcap_dump.cap 2> /dev/null

Here is a packet in the dump file that was captured with the fake CC#'s:

0000  00 12 da bd 7a d8 00 23  e9 3e 95 47 81 00 0f fe   ....z..# ..>.G....
0010  08 00 45 00 00 e2 b6 35  40 00 3f 06 b6 4a cc 5d   ..E....5 @.?..J.]
0020  80 87 40 b3 40 fe ef 2e  00 15 53 7a fd 48 e6 99   .. at ...180...@... ...Sz.H..
0030  73 60 80 18 00 1d 4c fc  00 00 01 01 08 0a 5b da   s`....L. .......[.
0040  8c 6f 1c 74 2a af 36 30  31 31 31 31 31 31 31 31   .o.t*.60 11111111
0050  31 31 31 31 31 37 0a 36  30 31 31 30 30 30 39 39   111117.6 01100099
0060  30 31 33 39 34 32 34 0a  34 31 31 31 2d 31 31 31   0139424. 4111-111
0070  31 2d 31 31 31 31 2d 31  31 31 31 0a 33 37 38 32   1-1111-1 111.3782
0080  38 32 32 34 36 33 31 30  30 30 35 0a 34 31 31 31   82246310 005.4111
0090  31 31 31 31 31 31 31 31  31 31 31 31 0a 34 31 31   11111111 1111.411
00a0  31 31 31 31 31 31 31 31  31 31 31 31 31 0a 34 31   11111111 11111.41
00b0  31 31 2d 31 31 31 31 2d  31 31 31 31 2d 31 31 31   11-1111- 1111-111
00c0  31 0a 36 30 31 31 31 31  31 31 31 31 31 31 31 31   1.601111 11111111
00d0  31 37 0a 36 30 31 31 30  30 30 39 39 30 31 33 39   17.60110 00990139
00e0  34 32 34 0a 33 37 38 32  38 32 32 34 36 33 31 30   424.3782 82246310
00f0  30 30 35 0a                                        005.

In this view the CC#'s are a little scrambled but when I follow the TCP
stream in wireshark, they are clearly shown.

I am totally at a loss why I can't get this working... anyone have any
advice or something else I might be able to look at?

Thanks for any help

-----Original Message-----
From: jason [mailto:jason at ...3880...]
Sent: Saturday, February 01, 2014 9:45 AM
To: 'Snort-sigs'
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire

HI!
I'm trying to get the sensitive-data CC# alert to fire but I'm having
trouble making it happen.

Here's what I'm trying and what I've got:
Snort.conf:
preprocessor sensitive_data: alert_threshold 3

This is the rule that came with pulledpork but I can't get it to fire:
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service
smtp, service ftp-data, service imap, service pop3;
sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I made this my only rule in snort and I modified it trying to make it easier
to fire and alert but still no luck:
alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card
Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

I then send a mail or use netcat and send clear text CC#'s but still can't
get it to fire.

I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the
payload (of course).

I ran snort with DAQ dump to pcap and that sees the CC#'s too!
/usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive
--daq-var file=/tmp/snort_pcap_dump.cap

Could it be something with my Stream5 config?
Is my testing method whack?
I'm missing something simple I think...

Thanks for any advice

# sorry if this becomes a duplicate - I get all the mail so I thought I was
a member already but I got bounce saying I wasn't... so I signed up again
and I'm reposting this and cancelled the original.




---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com


----------------------------------------------------------------------------
--
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import a
virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991 <http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231 <http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


Try adding -k none to your command line.

James



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140203/2e882ca5/attachment.html>


More information about the Snort-sigs mailing list