[Snort-users] Dectecting Social Security Numbers?
mkettler at ...4108...
Fri Sep 10 12:52:00 EDT 2004
At 02:01 PM 9/10/2004, Lyons, Jon wrote:
>Im trying to get snort to generate an alert for SS#s, Ive tried the
>rule below but no alerts are generated. I tested this with pcretest and it
am I missing something?
>alert tcp any any -> any any (msg:"Socail Security Number Clear Text";
I can't possibly imagine why that rule works with pcretest, but if you say
so... It's clearly not any valid regex syntax that I've ever seen before,
and it looks nothing like the regex syntax of any of the default rules in
the snort ruleset.
What's the m! out front supposed to be doing, and why isn't that PCRE
properly bounded with /'es? (all regexes should be bounded with a / at the
start and a / at the end, with modifiers following the trailing /)
try something more like this to start with, then add PCRE syntax as needed:
Note: I substituted \b for your \Z. I don't think EOL is really a good
termination condition to use when doing general text string searches.. what
if it's in record-per-line format where the name comes after the SSN?
More information about the Snort-users