Snort and SQL database

[Josh Bitto <jbitto () onlineschool ca>]

I have after a week of battling with this finally got everything going on snort and then using barnyard2 to send the 
alerts to mysql…..However, when I export the data from the sql database it doesn’t look the same at all as the report 
in pfsense….

I used barnyard2’s schema file to create the database and I’m not sure if that has something to do with it.


Any suggestions?

-----Original Message-----
From: JJC [mailto:cummingsj () gmail com] 
Sent: Thursday, January 31, 2013 11:37 AM
To: Jeremy Hoel
Cc: Josh Bitto; Snort Users
Subject: Re: [Snort-users] Testing Snort

I would suggest reading through the sensitive data preprocessor documentation and modifying the rules to fit your 
policy requirements...

Sent from my iPad

On Jan 31, 2013, at 14:28, Jeremy Hoel <jthoel () gmail com> wrote:

> So the ET ruleset has some policy rules for Credit cards and SSN's 
> passed in the clear.  You might check those out to see if they meet 
> your needs.
>
> sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed)
> || url,doc.emergingthreats.net/2001328
> sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced)
> || url,doc.emergingthreats.net/2001384
> sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) ||
> url,doc.emergingthreats.net/2007971
> sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) ||
> url,doc.emergingthreats.net/2007972
> sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 
> ssn2 ssn3
> id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear
> (16 digit spaced) || url,doc.emergingthreats.net/2001375 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear
> (16 digit dashed) || url,doc.emergingthreats.net/2001376 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear
> (16 digit) || url,doc.emergingthreats.net/2001377 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear
> (15 digit) || url,doc.emergingthreats.net/2001378 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced) || url,doc.emergingthreats.net/2001379 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed) || url,doc.emergingthreats.net/2001380 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear
> (14 digit) || url,doc.emergingthreats.net/2001381 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear
> (14 digit spaced) || url,doc.emergingthreats.net/2001382 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear
> (14 digit dashed) || url,doc.emergingthreats.net/2001383 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002477
> sid-msg.map:2002488 || ET DELETED SMTP Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002488
> sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB ||
> url,doc.emergingthreats.net/bin/view/Main/2002561
> sid-msg.map:2002572 || ET DELETED HTTP - Credit History ||
> url,doc.emergingthreats.net/bin/view/Main/2002572
> sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB ||
> url,doc.emergingthreats.net/2002642
> sid-msg.map:2002653 || ET DELETED High Ports - Credit History ||
> url,doc.emergingthreats.net/2002653
> sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear
> (15 digit spaced 2) || url,doc.emergingthreats.net/2009293 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear
> (15 digit dashed 2) || url,doc.emergingthreats.net/2009294 || 
> url,www.beachnet.com/~hstiles/cardtype.html
> sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card 
> Fraud Malvertisement Script || 
> url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-c
> redit-card
>
> What you are looking for is more of a data leakage protection (DLP) 
> .You might find this useful for other OS tools that might solve your 
> problem better 
> http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.p
> df
>
> On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> > Hmmm…..now I have another question…lol…it’s hump day (middle of the 
> > week)
> >
> >
> >
> > Is there a program out there that works with snort in a way to 
> > capture data from users…..let’s say…sensitive data rule gets fired 
> > (example Email
> > Addresses) and we want to make sure that whatever rule that is….the 
> > content lines up with company policy.
> >
> >
> >
> > I know of wireshark, but that is just packets…
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Wednesday, January 30, 2013 12:52 PM
> > To: Josh Bitto
> > Cc: Jeremy Hoel; Snort Users
> >
> >
> > Subject: Re: [Snort-users] Testing Snort
> >
> >
> >
> > On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> >
> >
> >
> > 1. The rules update....I obtained the oinkmaster code and put it in. 
> > It has the option to update at certain time every 12 hours for 
> > example.....Does it automatically do that or do I have to buy a 
> > subscription for that to actually work? I know the definitions will 
> > be 30 days old for just a regular registered user, but still.
> >
> >
> >
> > You'd probably want to cron it.
> >
> >
> >
> > 2. Back to the rules search....ok I searched a couple of SID numbers 
> > and it came back as "this rule as been deprecated and placed into deleted.rules"
> > Should I suppress that or is my definitions outdated?
> >
> >
> >
> > Your definitions may be outdated.  When we delete a rule, it usually 
> > because it's no longer useful or it's been replaced by better detection.
> >
> >
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
>
> ----------------------------------------------------------------------
> -------- Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics Download AppDynamics Lite 
> for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!