[Snort-sigs] getting sensitive-data cc# alert to fire

jason jason at ...3880...
Tue Feb 11 15:56:45 EST 2014


Sorry I didn't update, been busy with other stuff..

 

config disable_decode_alerts was uncommented in my snort.conf so I commented
it and now I see decode alerts where previously I did not. I thought for
sure this was going to help me but I STILL can't get snort to fire an alert
when I transmit CC#'s.

 

I played with the syslog settings and when I have all my rules enabled
(including the 4 sensitive-data rules that come by default) I am seeing
alerts like this:

sensitive_data: sensitive data global threshold exceeded

 

[139:1:1] (spp_sdf) SDF Combination Alert [Classification: Senstive Data]
[Priority: 2] {PROTO:254} xx.xx.xx.xx -> xx.xx.xx.xx

 

But I can't find any packets or payloads captured. I'm thinking the SDF
Combination Alert is when 2 or more different sensitive-data alerts (like
CC#'s and social security numbers for example) are tripped and is
informational only? This alert doesn't get picked up by Barnyard but the
global threshold exceeded alerts do - they also don't have captured
payloads.

 

Here's what I capture with tcpdump and reassembling but I never see Snort
capture any of this:

 

220 BN1BFFO11FD022.xxxxxxxxx.com Microsoft ESMTP MAIL Service ready at Thu,
6 Feb 2014 16:39:35 +0000

EHLO outgoing.xxxxxxxxxx.net

250-BN1BFFO11FD022.mail.xxxxxx.xxxxxx.com Hello [xx.xx.xx.xx]

250-SIZE 157286400

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-STARTTLS

250-AUTH

250-8BITMIME

250-BINARYMIME

250 CHUNKING

MAIL FROM:<me at ...3883...> SIZE=1336

RCPT TO:<me at ...3883...> ORCPT=rfc822;me at ...3883...

DATA

250 2.1.0 Sender OK

250 2.1.5 Recipient OK

354 Start mail input; end with <CRLF>.<CRLF>

Received: from blade1-0?xxxxxxx.net (unknown [10.0.2.87])

.by outgoing.xxxxxxxxxx.net (Postfix) with SMTP id DD33849924BC

.for <me at ...3883...>; Thu,  6 Feb 2014 16:39:15 +0000 (GMT)

Message-Id: <20140206163921.DD33849924BC@ outgoing.xxxxxxxxxx.net>

Date: Thu,  6 Feb 2014 16:39:15 +0000 (GMT)

From: me at ...3883...

To: undisclosed-recipients:;

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

4111111111111111

4111-1111-1111-1111 

4660105464387620

QUIT

250 2.6.0 <20140206163921.DD33849924BC at ...3884...>
[InternalId=8452495646426, Hostname=BN1PR05MB264.namprd05.xxxxxxxxx.com]
Queued mail for delivery

221 2.0.0 Service closing transmission channel

 

I've also tried sending email addresses via mail and using netcat. I even
tried sending a fake CC# in the email header like: helo 4111111111111111

 

I grabbed a new box and I installed Centos6.4 and snort 2.9.6 and I only
changed the alert_syslog and commented out config disable_decode_alerts in
snort.conf I also made sure that threshold.conf is empty and not loading
pulledpork disablesid.conf.

 

I changed the CC# rule to:

alert tcp any any <> any any (msg:"SENSITIVE-DATA Credit Card Numbers";
sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)

 

and I changed the Email address rule to:

alert tcp any any <> any any (msg:"SENSITIVE-DATA Email Addresses";
metadata:service http, service smtp, service ftp-data, service imap, service
pop3; sd_pattern:1,email; classtype:sdf; sid:5; gid:138; rev:1;)

 

this is a totally fresh install and the interface sees very little traffic
but I still can't get an alert out of it! I can only get that vague alert
about the threshold being exceeded but I don't even think my testing is
tripping that.

 

This is killing me because I know this should be working and shouldn't be
this much trouble to test/confirm.

 

Any other ideas are welcome

thanks

 

From: Y M [mailto:snort at ...3751...] 
Sent: Tuesday, February 04, 2014 4:05 AM
To: jason at ...3880...
Cc: snort-sigs
Subject: RE: [Snort-sigs] getting sensitive-data cc# alert to fire

 

Hi Jason,
 
Does your snort.conf has this line disabled (commented)?
 
config disable_decode_alerts
 
>From the documentation ( <http://manual.snort.org/node18.html>
http://manual.snort.org/node18.html):
 
"if config disable_decode_alerts is in snort.conf, decoder events will not
be generated regardless of whether or not there are corresponding rules for
the event."

 Thanks
YM
 

> From:  <mailto:jason at ...3880...> jason at ...3880...
> To:  <mailto:snort-sigs at lists.sourceforge.net>
snort-sigs at lists.sourceforge.net
> Date: Mon, 3 Feb 2014 20:40:49 -0500
> Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
> 
> Thanks for that - I was using 2> /dev/null from the troubleshooting steps
in
> that 2011 thread I found:
>  <http://seclists.org/snort/2011/q1/983>
http://seclists.org/snort/2011/q1/983
> 
> in that thread he uses 2> and gets the alert and the output? They did add
> LOG_ERR to the syslog config to fix their issue which I tried as well:
> output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR
> 
> When I run this again using 1> I get all the snort config output but still
> no alerts.
> 
> My 1 rule (to rule them all):
> alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf;
> msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001;
> rev:2;)
> 
> Initializing rule chains...
> 1 Snort rules read
> 1 detection rules
> 0 decoder rules
> 0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> 
> Sensitive Data preprocessor config: 
> Global Alert Threshold: 3
> Masked Output: DISABLED
> 
> I'm now wondering if the stream is not being reassembled properly and
> therefore doesn't trip the luhn algorithm.
> 
> I'm going to play with Stream5 depth/length settings next but any other
> insights are of course welcome as I try to get this working.
> 
> Again thanks all for the replies, it's really appreciated :)
> 
> I will update if I make any headway
> Jason
> 
> 
> 
> 
> 
> -----Original Message-----
> From: waldo kitty [ <mailto:wkitty42 at ...3507...>
mailto:wkitty42 at ...3507...] 
> Sent: Monday, February 03, 2014 7:17 PM
> To: rmkml;  <mailto:snort-sigs at lists.sourceforge.net>
snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire
> 
> On 2/3/2014 5:06 PM, rmkml wrote:
> > Sorry for disturb,
> 
> no problem, rm... you are welcome to jump in any time, my friend ;)
> 
> --
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
> 
>
----------------------------------------------------------------------------
> --
> Managing the Performance of Cloud-Based Applications Take advantage of
what
> the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr
k>
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
>  <mailto:Snort-sigs at lists.sourceforge.net>
Snort-sigs at lists.sourceforge.net
>  <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  <http://www.snort.org> http://www.snort.org
> 
> 
> Please visit  <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort!
> 
> 
> ---
> This email is free from viruses and malware because avast! Antivirus
protection is active.
>  <http://www.avast.com> http://www.avast.com
> 
> 
>
----------------------------------------------------------------------------
--
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr
k>
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
>  <mailto:Snort-sigs at lists.sourceforge.net>
Snort-sigs at lists.sourceforge.net
>  <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  <http://www.snort.org> http://www.snort.org
> 
> 
> Please visit  <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort!



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140211/e970e563/attachment.html>


More information about the Snort-sigs mailing list