Re: Sensitive Data Preprocessor: logging single matches

[Erik Johnson <ejohnson () vailsys com>]

On Tue, Mar 01, 2011 at 03:17:10PM -0500, Victor Roemer wrote:
> Try adding some mail headers in the stream
>
> heres what I did
>
> [vroemer@interpol simple]$ telnet mail.example.com 25
> Trying 192.168.1.2 ...
> Connected to mail.example.com.
> Escape character is '^]'.
> 220 example.com ESMTP Postfix
> helo mail.example.com.com
> 250 example.com
> mail from: blah () blah com
> 250 Ok
> rcpt to: frak () frakken com
> 250 Ok
> data
> 354 End data with <CR><LF>.<CR><LF>
> From: blah () blah com
> To: frak () frakken com
> Content-type: text/html
> Subject: Credit Card Numbers
>
> 4660105464387620
> .
> 250 Ok: queued as E4A486CC12C
> ^]
>
> telnet> Connection closed.

The example I sent in my previous message already did have mail headers.
I tried again, this time adding "Content-type: text/plain", but it still
takes two credit card numbers to generate an alert.

--

Erik Johnson
System Administrator
Vail Systems
e: ejohnson () vailsys com
p: 866-254-7699

http://www.vailsys.com

Attachment: _bin
Description:

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users