[Snort-users] Testing Snort

JJC cummingsj at ...11827...
Thu Jan 31 14:37:05 EST 2013


I would suggest reading through the sensitive data preprocessor documentation and modifying the rules to fit your policy requirements...

Sent from my iPad

On Jan 31, 2013, at 14:28, Jeremy Hoel <jthoel at ...11827...> wrote:

> So the ET ruleset has some policy rules for Credit cards and SSN's
> passed in the clear.  You might check those out to see if they meet
> your needs.
> 
> sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed)
> || url,doc.emergingthreats.net/2001328
> sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced)
> || url,doc.emergingthreats.net/2001384
> sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) ||
> url,doc.emergingthreats.net/2007971
> sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) ||
> url,doc.emergingthreats.net/2007972
> sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3
> id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear
> (16 digit spaced) || url,doc.emergingthreats.net/2001375 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear
> (16 digit dashed) || url,doc.emergingthreats.net/2001376 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear
> (16 digit) || url,doc.emergingthreats.net/2001377 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear
> (15 digit) || url,doc.emergingthreats.net/2001378 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced) || url,doc.emergingthreats.net/2001379 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed) || url,doc.emergingthreats.net/2001380 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear
> (14 digit) || url,doc.emergingthreats.net/2001381 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear
> (14 digit spaced) || url,doc.emergingthreats.net/2001382 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear
> (14 digit dashed) || url,doc.emergingthreats.net/2001383 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002477
> sid-msg.map:2002488 || ET DELETED SMTP Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002488
> sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002561
> sid-msg.map:2002572 || ET DELETED HTTP - Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002572
> sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB ||
> url,doc.emergingthreats.net/2002642
> sid-msg.map:2002653 || ET DELETED High Ports - Credit History ||
> url,doc.emergingthreats.net/2002653
> sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced 2) || url,doc.emergingthreats.net/2009293 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed 2) || url,doc.emergingthreats.net/2009294 ||
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card
> Fraud Malvertisement Script ||
> url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-card
> 
> What you are looking for is more of a data leakage protection (DLP)
> .You might find this useful for other OS tools that might solve your
> problem better
> http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.pdf
> 
> On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> Hmmm…..now I have another question…lol…it’s hump day (middle of the week)
>> 
>> 
>> 
>> Is there a program out there that works with snort in a way to capture data
>> from users…..let’s say…sensitive data rule gets fired (example Email
>> Addresses) and we want to make sure that whatever rule that is….the content
>> lines up with company policy.
>> 
>> 
>> 
>> I know of wireshark, but that is just packets…
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Wednesday, January 30, 2013 12:52 PM
>> To: Josh Bitto
>> Cc: Jeremy Hoel; Snort Users
>> 
>> 
>> Subject: Re: [Snort-users] Testing Snort
>> 
>> 
>> 
>> On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> 
>> 
>> 
>> 1. The rules update....I obtained the oinkmaster code and put it in. It has
>> the option to update at certain time every 12 hours for example.....Does it
>> automatically do that or do I have to buy a subscription for that to
>> actually work? I know the definitions will be 30 days old for just a regular
>> registered user, but still.
>> 
>> 
>> 
>> You'd probably want to cron it.
>> 
>> 
>> 
>> 2. Back to the rules search....ok I searched a couple of SID numbers and it
>> came back as "this rule as been deprecated and placed into deleted.rules"
>> Should I suppress that or is my definitions outdated?
>> 
>> 
>> 
>> Your definitions may be outdated.  When we delete a rule, it usually because
>> it's no longer useful or it's been replaced by better detection.
>> 
>> 
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list