[Snort-users] Snort and SQL on PFsense

Josh Bitto jbitto at ...16055...
Thu Jan 31 16:56:08 EST 2013


Has anyone had any experience setting up Snort to copy log files to mysql or an sql server? We're using snort on pfsense so it wouldn't be a regular distro that I would be running snort on.



-----Original Message-----
From: Jeremy Hoel [mailto:jthoel at ...11827...] 
Sent: Thursday, January 31, 2013 11:29 AM
To: Josh Bitto
Cc: Joel Esler; Snort Users
Subject: Re: [Snort-users] Testing Snort

So the ET ruleset has some policy rules for Credit cards and SSN's passed in the clear.  You might check those out to see if they meet your needs.

sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed)
|| url,doc.emergingthreats.net/2001328
sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced)
|| url,doc.emergingthreats.net/2001384
sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) ||
url,doc.emergingthreats.net/2007971
sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) ||
url,doc.emergingthreats.net/2007972
sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3
id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear
(16 digit spaced) || url,doc.emergingthreats.net/2001375 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear
(16 digit dashed) || url,doc.emergingthreats.net/2001376 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear
(16 digit) || url,doc.emergingthreats.net/2001377 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear
(15 digit) || url,doc.emergingthreats.net/2001378 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear
(15 digit spaced) || url,doc.emergingthreats.net/2001379 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear
(15 digit dashed) || url,doc.emergingthreats.net/2001380 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear
(14 digit) || url,doc.emergingthreats.net/2001381 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear
(14 digit spaced) || url,doc.emergingthreats.net/2001382 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear
(14 digit dashed) || url,doc.emergingthreats.net/2001383 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB ||
url,doc.emergingthreats.net/bin/view/Main/2002477
sid-msg.map:2002488 || ET DELETED SMTP Credit History ||
url,doc.emergingthreats.net/bin/view/Main/2002488
sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB ||
url,doc.emergingthreats.net/bin/view/Main/2002561
sid-msg.map:2002572 || ET DELETED HTTP - Credit History ||
url,doc.emergingthreats.net/bin/view/Main/2002572
sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB ||
url,doc.emergingthreats.net/2002642
sid-msg.map:2002653 || ET DELETED High Ports - Credit History ||
url,doc.emergingthreats.net/2002653
sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear
(15 digit spaced 2) || url,doc.emergingthreats.net/2009293 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear
(15 digit dashed 2) || url,doc.emergingthreats.net/2009294 || url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script || url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-card

What you are looking for is more of a data leakage protection (DLP) .You might find this useful for other OS tools that might solve your problem better http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.pdf

On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto at ...16055...> wrote:
> Hmmm.....now I have another question...lol...it's hump day (middle of the 
> week)
>
>
>
> Is there a program out there that works with snort in a way to capture 
> data from users.....let's say...sensitive data rule gets fired (example 
> Email
> Addresses) and we want to make sure that whatever rule that is....the 
> content lines up with company policy.
>
>
>
> I know of wireshark, but that is just packets...
>
>
>
>
>
>
>
>
>
>
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Wednesday, January 30, 2013 12:52 PM
> To: Josh Bitto
> Cc: Jeremy Hoel; Snort Users
>
>
> Subject: Re: [Snort-users] Testing Snort
>
>
>
> On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto at ...16055...> wrote:
>
>
>
> 1. The rules update....I obtained the oinkmaster code and put it in. 
> It has the option to update at certain time every 12 hours for 
> example.....Does it automatically do that or do I have to buy a 
> subscription for that to actually work? I know the definitions will be 
> 30 days old for just a regular registered user, but still.
>
>
>
> You'd probably want to cron it.
>
>
>
> 2. Back to the rules search....ok I searched a couple of SID numbers 
> and it came back as "this rule as been deprecated and placed into deleted.rules"
> Should I suppress that or is my definitions outdated?
>
>
>
> Your definitions may be outdated.  When we delete a rule, it usually 
> because it's no longer useful or it's been replaced by better detection.
>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire




More information about the Snort-users mailing list