Snort mailing list archives
Re: Some alerts not logging packet data
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Nov 2011 07:08:37 -0700
Haven't received much on this, so I thought I'd try and add some more info.
Here's the hit:
11/27-10:52:18.548118 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} INT_IP:51126 -> EX_IP:25
u2spewfoo output:
(Event)
sensor id: 0 event id: 1312 event second: 1322416338
event microsecond: 548118
sig id: 2 gen id: 138 revision: 1 classification: 35
priority: 2 ip source: IN_IP ip destination: EXT_IP
src port: 51126 dest port: 25 protocol: 6 impact_flag: 0
blocked: 0
There's no information in the tcpdump.log file.
Not sure this matters or not, but here is smtp relevant entries:
preprocessor smtp: ports { 25 465 587 691 } \
inspection_type stateful \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0 \
log_mailfrom \
log_rcptto \
log_filename \
log_email_hdrs \
normalize cmds \
normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
ESOM ETRN EVFY } \
normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
SAML SEND SOML } \
normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
XLICENSE XQUE XSTA XTRN XUSR } \
max_command_line_len 512 \
max_header_line_len 1000 \
max_response_line_len 512 \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
ESND ESOM EVFY IDENT NOOP RSET } \
alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH
XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM
ETRN EVFY } \
valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
SAML SEND SOML } \
valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
XQUE XSTA XTRN XUSR } \
xlink2state { enabled }
Does anyone have any hints or ideas? Thank you.
James
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some packets logging packet data James Lay (Nov 19)
- Re: Some alerts not logging packet data James Lay (Nov 23)
- Re: Some alerts not logging packet data James Lay (Nov 30)
- Re: Some alerts not logging packet data James Lay (Nov 23)