[Snort-users] Problem with sensitive-data:email addresses rule
greg.pendergast at ...11827...
Sat Mar 30 11:24:14 EDT 2013
I've just set up my security-onion system to include the VRT
Registered User rule. I'm getting a bunch of hits on 138:5
Sensitive-data email addresses, but the direction is wrong.
The rule says $HOME_NET -> $EXTERNAL_NET but the alerts I'm getting
are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
Since I just added the VRT rules, this could be happening for other
things and I just haven't found it yet.
In snort.conf, my EXTERNAL_NET = !$HOME_NET and the SecurityOnion
sensors are running Snort 126.96.36.199.
Any ideas as to what could be wrong? I didn't encounter this problem
when using only the ETPRO rules.
More information about the Snort-users