[Snort-users] help writing snort rule

Bill Lopez Bill at ...14048...
Fri Jan 26 13:58:41 EST 2007

Thank you for the quick response to my question.  


I don't want to keep asking elementary questions in this forum if its
not appropriate, please let me know if this isn't the proper place and
direct me to where I can ask basic questions.


I wasn't able to get an alert on the bleeding rule


alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear
Text"; flow: established; pcre:"/
([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype:
policy-violation; sid: 2001328; rev:8; )


thus the reason for trying to write my own with a small variance in the
character string -  


alert ip any any -> $EXTERNAL_NET any
(pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
Text"; sid: 1000004;)


which doesn't produce an alert either - eventually I want to apply this
filter to just traffic from/to mail , telnet, ftp (etc) servers - I can
send any variance of xxx-xx-xxxx, xxxxxxxx  or xxx xx xxxx via an
e-mail, text file attachment or file upload and still never see an alert
to the console.  I have a simple rule to check for content using a
keyword and get alerted when sending that keyword with e-mail,
attachment and file upload (this was my test to see if snort was
actually alerting correctly)  I am only running my test rules with an
out of the box snort.conf file.


Why wouldn't either of the above rules alert with (for example) an
e-mail sent with 555-55-5555 in the body?



Bill Lopez

Operating Engineers Trust Funds

(626) 356-3524

(626) 255-1066


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070126/25096b1d/attachment.html>

More information about the Snort-users mailing list