[Snort-sigs] getting sensitive-data cc# alert to fire

jason jason at ...3880...
Mon Feb 3 20:40:49 EST 2014

Thanks for that - I was using 2> /dev/null from the troubleshooting steps in
that 2011 thread I found:

in that thread he uses 2> and gets the alert and the output? They did add
LOG_ERR to the syslog config to fix their issue which I tried as well:
output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR

When I run this again using 1> I get all the snort config output but still
no alerts.

My 1 rule (to rule them all):
alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf;
msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001;

Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules

Sensitive Data preprocessor config: 
    Global Alert Threshold: 3
    Masked Output: DISABLED

I'm now wondering if the stream is not being reassembled properly and
therefore doesn't trip the luhn algorithm.

I'm going to play with Stream5 depth/length settings next but any other
insights are of course welcome as I try to get this working.

Again thanks all for the replies, it's really appreciated :)

I will update if I make any headway

-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...3507...] 
Sent: Monday, February 03, 2014 7:17 PM
To: rmkml; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire

On 2/3/2014 5:06 PM, rmkml wrote:
> Sorry for disturb,

no problem, rm... you are welcome to jump in any time, my friend ;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Managing the Performance of Cloud-Based Applications Take advantage of what
the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

This email is free from viruses and malware because avast! Antivirus protection is active.

More information about the Snort-sigs mailing list