[Snort-users] Problem with sensitive-data:email addresses rule

Gregory Pendergast greg.pendergast at ...11827...
Sat Mar 30 11:24:14 EDT 2013


I've just set up my security-onion system to include the VRT
Registered User rule. I'm getting a bunch of hits on 138:5
Sensitive-data email addresses, but the direction is wrong.

The rule says $HOME_NET -> $EXTERNAL_NET but the alerts I'm getting
are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
$HOME_NET.

Since I just added the VRT rules, this could be happening for other
things and I just haven't found it yet.

In snort.conf, my EXTERNAL_NET = !$HOME_NET and the SecurityOnion
sensors are running Snort 2.9.3.1.

Any ideas as to what could be wrong? I didn't encounter this problem
when using only the ETPRO rules.

Thanks,
Greg




More information about the Snort-users mailing list