[Snort-users] Problem with sensitive-data:email addresses rule

waldo kitty wkitty42 at ...14940...
Sat Mar 30 18:09:16 EDT 2013


On 3/30/2013 10:24, Gregory Pendergast wrote:
> I've just set up my security-onion system to include the VRT
> Registered User rule. I'm getting a bunch of hits on 138:5
> Sensitive-data email addresses, but the direction is wrong.
>
> The rule says $HOME_NET ->  $EXTERNAL_NET but the alerts I'm getting
> are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
> $HOME_NET.

that '->' isn't necessarily the "direction of flow" indicator... there is also 
"to_server", "from_server", "to_client" and "from_client" modifiers... those are 
where the real direction is determined and that based on the location of 
$HOME_NET and $EXTERNAL_NET along with whether '->', '<-', or '<>' is used...

i'm unsure how you are determining the direction for that "rule" since it is a 
preprocessor "rule" which is generally written in source code rather than rule 
code... AIUI at least...

you might find this link helpful... it doesn't note any particular direction of 
traffic flow, though... only that apparent email addresses have been seen in 
traffic and that it might be a policy violation...

   http://www.snort.org/search/sid/138-5

> Since I just added the VRT rules, this could be happening for other
> things and I just haven't found it yet.
>
> In snort.conf, my EXTERNAL_NET = !$HOME_NET and the SecurityOnion
> sensors are running Snort 2.9.3.1.
>
> Any ideas as to what could be wrong? I didn't encounter this problem
> when using only the ETPRO rules.

the only other thing i can think of would be the location of your sensor and 
what it is sniffing...




More information about the Snort-users mailing list