[Snort-users] Snort and SQL database

Josh Bitto jbitto at ...16055...
Fri Feb 1 18:22:28 EST 2013


I have after a week of battling with this finally got everything going on snort and then using barnyard2 to send the alerts to mysql…..However, when I export the data from the sql database it doesn’t look the same at all as the report in pfsense….

I used barnyard2’s schema file to create the database and I’m not sure if that has something to do with it.


Any suggestions?

-----Original Message-----
From: JJC [mailto:cummingsj at ...11827...] 
Sent: Thursday, January 31, 2013 11:37 AM
To: Jeremy Hoel
Cc: Josh Bitto; Snort Users
Subject: Re: [Snort-users] Testing Snort

I would suggest reading through the sensitive data preprocessor documentation and modifying the rules to fit your policy requirements...

Sent from my iPad

On Jan 31, 2013, at 14:28, Jeremy Hoel <jthoel at ...11827...> wrote:

> So the ET ruleset has some policy rules for Credit cards and SSN's 
> passed in the clear.  You might check those out to see if they meet 
> your needs.
> 
> sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed)
> || url,doc.emergingthreats.net/2001328
> sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced)
> || url,doc.emergingthreats.net/2001384
> sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) ||
> url,doc.emergingthreats.net/2007971
> sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) ||
> url,doc.emergingthreats.net/2007972
> sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 
> ssn2 ssn3
> id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear
> (16 digit spaced) || url,doc.emergingthreats.net/2001375 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear
> (16 digit dashed) || url,doc.emergingthreats.net/2001376 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear
> (16 digit) || url,doc.emergingthreats.net/2001377 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear
> (15 digit) || url,doc.emergingthreats.net/2001378 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced) || url,doc.emergingthreats.net/2001379 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed) || url,doc.emergingthreats.net/2001380 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear
> (14 digit) || url,doc.emergingthreats.net/2001381 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear
> (14 digit spaced) || url,doc.emergingthreats.net/2001382 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear
> (14 digit dashed) || url,doc.emergingthreats.net/2001383 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002477
> sid-msg.map:2002488 || ET DELETED SMTP Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002488
> sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002561
> sid-msg.map:2002572 || ET DELETED HTTP - Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002572
> sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB ||
> url,doc.emergingthreats.net/2002642
> sid-msg.map:2002653 || ET DELETED High Ports - Credit History ||
> url,doc.emergingthreats.net/2002653
> sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced 2) || url,doc.emergingthreats.net/2009293 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed 2) || url,doc.emergingthreats.net/2009294 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card 
> Fraud Malvertisement Script || 
> url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-c
> redit-card
> 
> What you are looking for is more of a data leakage protection (DLP) 
> .You might find this useful for other OS tools that might solve your 
> problem better 
> http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.p
> df
> 
> On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> Hmmm…..now I have another question…lol…it’s hump day (middle of the 
>> week)
>> 
>> 
>> 
>> Is there a program out there that works with snort in a way to 
>> capture data from users…..let’s say…sensitive data rule gets fired 
>> (example Email
>> Addresses) and we want to make sure that whatever rule that is….the 
>> content lines up with company policy.
>> 
>> 
>> 
>> I know of wireshark, but that is just packets…
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Wednesday, January 30, 2013 12:52 PM
>> To: Josh Bitto
>> Cc: Jeremy Hoel; Snort Users
>> 
>> 
>> Subject: Re: [Snort-users] Testing Snort
>> 
>> 
>> 
>> On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> 
>> 
>> 
>> 1. The rules update....I obtained the oinkmaster code and put it in. 
>> It has the option to update at certain time every 12 hours for 
>> example.....Does it automatically do that or do I have to buy a 
>> subscription for that to actually work? I know the definitions will 
>> be 30 days old for just a regular registered user, but still.
>> 
>> 
>> 
>> You'd probably want to cron it.
>> 
>> 
>> 
>> 2. Back to the rules search....ok I searched a couple of SID numbers 
>> and it came back as "this rule as been deprecated and placed into deleted.rules"
>> Should I suppress that or is my definitions outdated?
>> 
>> 
>> 
>> Your definitions may be outdated.  When we delete a rule, it usually 
>> because it's no longer useful or it's been replaced by better detection.
>> 
>> 
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> 
> ----------------------------------------------------------------------
> -------- Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics Download AppDynamics Lite 
> for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list