Snort mailing list archives
Snort and SQL database
From: Josh Bitto <jbitto () onlineschool ca>
Date: Fri, 1 Feb 2013 15:22:28 -0800
I have after a week of battling with this finally got everything going on snort and then using barnyard2 to send the alerts to mysql…..However, when I export the data from the sql database it doesn’t look the same at all as the report in pfsense…. I used barnyard2’s schema file to create the database and I’m not sure if that has something to do with it. Any suggestions? -----Original Message----- From: JJC [mailto:cummingsj () gmail com] Sent: Thursday, January 31, 2013 11:37 AM To: Jeremy Hoel Cc: Josh Bitto; Snort Users Subject: Re: [Snort-users] Testing Snort I would suggest reading through the sensitive data preprocessor documentation and modifying the rules to fit your policy requirements... Sent from my iPad On Jan 31, 2013, at 14:28, Jeremy Hoel <jthoel () gmail com> wrote:
So the ET ruleset has some policy rules for Credit cards and SSN's passed in the clear. You might check those out to see if they meet your needs. sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed) || url,doc.emergingthreats.net/2001328 sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced) || url,doc.emergingthreats.net/2001384 sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) || url,doc.emergingthreats.net/2007971 sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) || url,doc.emergingthreats.net/2007972 sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3 id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,doc.emergingthreats.net/2001375 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,doc.emergingthreats.net/2001376 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,doc.emergingthreats.net/2001377 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,doc.emergingthreats.net/2001378 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,doc.emergingthreats.net/2001379 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,doc.emergingthreats.net/2001380 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,doc.emergingthreats.net/2001381 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,doc.emergingthreats.net/2001382 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,doc.emergingthreats.net/2001383 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB || url,doc.emergingthreats.net/bin/view/Main/2002477 sid-msg.map:2002488 || ET DELETED SMTP Credit History || url,doc.emergingthreats.net/bin/view/Main/2002488 sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB || url,doc.emergingthreats.net/bin/view/Main/2002561 sid-msg.map:2002572 || ET DELETED HTTP - Credit History || url,doc.emergingthreats.net/bin/view/Main/2002572 sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB || url,doc.emergingthreats.net/2002642 sid-msg.map:2002653 || ET DELETED High Ports - Credit History || url,doc.emergingthreats.net/2002653 sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2) || url,doc.emergingthreats.net/2009293 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2) || url,doc.emergingthreats.net/2009294 || url,www.beachnet.com/~hstiles/cardtype.html sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script || url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-c redit-card What you are looking for is more of a data leakage protection (DLP) .You might find this useful for other OS tools that might solve your problem better http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.p df On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto () onlineschool ca> wrote:Hmmm…..now I have another question…lol…it’s hump day (middle of the week) Is there a program out there that works with snort in a way to capture data from users…..let’s say…sensitive data rule gets fired (example Email Addresses) and we want to make sure that whatever rule that is….the content lines up with company policy. I know of wireshark, but that is just packets… From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, January 30, 2013 12:52 PM To: Josh Bitto Cc: Jeremy Hoel; Snort Users Subject: Re: [Snort-users] Testing Snort On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto () onlineschool ca> wrote: 1. The rules update....I obtained the oinkmaster code and put it in. It has the option to update at certain time every 12 hours for example.....Does it automatically do that or do I have to buy a subscription for that to actually work? I know the definitions will be 30 days old for just a regular registered user, but still. You'd probably want to cron it. 2. Back to the rules search....ok I searched a couple of SID numbers and it came back as "this rule as been deprecated and placed into deleted.rules" Should I suppress that or is my definitions outdated? Your definitions may be outdated. When we delete a rule, it usually because it's no longer useful or it's been replaced by better detection. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire---------------------------------------------------------------------- -------- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and SQL database Josh Bitto (Feb 01)
- Re: Snort and SQL database Jeremy Hoel (Feb 01)
- Re: Snort and SQL database Josh Bitto (Feb 01)
- Re: Snort and SQL database Jeremy Hoel (Feb 01)
- Re: Snort and SQL database Josh Bitto (Feb 01)
- Re: Snort and SQL database waldo kitty (Feb 01)
- Re: Snort and SQL database Jeremy Hoel (Feb 01)