[Snort-users] Problem with sensitive-data:email addresses rule

waldo kitty wkitty42 at ...14940...
Sat Mar 30 18:29:02 EDT 2013


On 3/30/2013 17:09, waldo kitty wrote:
> On 3/30/2013 10:24, Gregory Pendergast wrote:
>> I've just set up my security-onion system to include the VRT
>> Registered User rule. I'm getting a bunch of hits on 138:5
>> Sensitive-data email addresses, but the direction is wrong.
>>
>> The rule says $HOME_NET ->   $EXTERNAL_NET but the alerts I'm getting
>> are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
>> $HOME_NET.
>
> that '->' isn't necessarily the "direction of flow" indicator... there is also
> "to_server", "from_server", "to_client" and "from_client" modifiers... those are
> where the real direction is determined and that based on the location of
> $HOME_NET and $EXTERNAL_NET along with whether '->','<-', or '<>' is used...

i needed to clarify this a bit...

alert $EXTERNAL_NET any -> $HOME_NET 80 (flow:to_server;) // to home_net server

alert $EXTERNAL_NET any -> $HOME_NET 80 (flow:to_client;) // to external_net client

alert $HOME_NET any -> $EXTERNAL_NET 80 (flow:to_server;) // to external_net server

alert $HOME_NET any -> $EXTERNAL_NET 80 (flow:to_client;) // to home_net client


can you more easily see the differences i was trying to point out?




More information about the Snort-users mailing list