[Snort-sigs] getting sensitive-data cc# alert to fire
jason at ...3880...
Mon Feb 3 20:40:49 EST 2014
Thanks for that - I was using 2> /dev/null from the troubleshooting steps in
that 2011 thread I found:
in that thread he uses 2> and gets the alert and the output? They did add
LOG_ERR to the syslog config to fix their issue which I tried as well:
output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR
When I run this again using 1> I get all the snort config output but still
My 1 rule (to rule them all):
alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf;
msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001;
Initializing rule chains...
1 Snort rules read
1 detection rules
0 decoder rules
0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
Sensitive Data preprocessor config:
Global Alert Threshold: 3
Masked Output: DISABLED
I'm now wondering if the stream is not being reassembled properly and
therefore doesn't trip the luhn algorithm.
I'm going to play with Stream5 depth/length settings next but any other
insights are of course welcome as I try to get this working.
Again thanks all for the replies, it's really appreciated :)
I will update if I make any headway
From: waldo kitty [mailto:wkitty42 at ...3507...]
Sent: Monday, February 03, 2014 7:17 PM
To: rmkml; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
On 2/3/2014 5:06 PM, rmkml wrote:
> Sorry for disturb,
no problem, rm... you are welcome to jump in any time, my friend ;)
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
Managing the Performance of Cloud-Based Applications Take advantage of what
the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
Please visit http://blog.snort.org for the latest news about Snort!
This email is free from viruses and malware because avast! Antivirus protection is active.
More information about the Snort-sigs