[Snort-sigs] getting sensitive-data cc# alert to fire

Y M snort at ...3751...
Tue Feb 4 04:05:11 EST 2014


Hi Jason,
 
Does your snort.conf has this line disabled (commented)?
 
config disable_decode_alerts
 
>From the documentation (http://manual.snort.org/node18.html):
 
"if config disable_decode_alerts is in snort.conf, decoder events will not be generated regardless of whether or not there are corresponding rules for the event."

 Thanks
YM
 
> From: jason at ...3880...
> To: snort-sigs at lists.sourceforge.net
> Date: Mon, 3 Feb 2014 20:40:49 -0500
> Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
> 
> Thanks for that - I was using 2> /dev/null from the troubleshooting steps in
> that 2011 thread I found:
> http://seclists.org/snort/2011/q1/983
> 
> in that thread he uses 2> and gets the alert and the output? They did add
> LOG_ERR to the syslog config to fix their issue which I tried as well:
> output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR
> 
> When I run this again using 1> I get all the snort config output but still
> no alerts.
> 
> My 1 rule (to rule them all):
> alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf;
> msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001;
> rev:2;)
> 
> Initializing rule chains...
> 1 Snort rules read
>     1 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> 
> Sensitive Data preprocessor config: 
>     Global Alert Threshold: 3
>     Masked Output: DISABLED
> 
> I'm now wondering if the stream is not being reassembled properly and
> therefore doesn't trip the luhn algorithm.
> 
> I'm going to play with Stream5 depth/length settings next but any other
> insights are of course welcome as I try to get this working.
> 
> Again thanks all for the replies, it's really appreciated :)
> 
> I will update if I make any headway
> Jason
> 
> 
> 
> 
> 
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...3507...] 
> Sent: Monday, February 03, 2014 7:17 PM
> To: rmkml; snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
> 
> On 2/3/2014 5:06 PM, rmkml wrote:
> > Sorry for disturb,
> 
> no problem, rm... you are welcome to jump in any time, my friend ;)
> 
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> 
> ----------------------------------------------------------------------------
> --
> Managing the Performance of Cloud-Based Applications Take advantage of what
> the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> ---
> This email is free from viruses and malware because avast! Antivirus protection is active.
> http://www.avast.com
> 
> 
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140204/f56fd9a8/attachment.html>


More information about the Snort-sigs mailing list