Snort mailing list archives
sensitive-data email alerts
From: Jay Hirata <jhirata () cmlab biz>
Date: Thu, 01 Aug 2013 16:44:50 -0600
Hi, I've got the following rule in my local.rules file: alert tcp $EXTERNAL_NET any -> $HOME_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:1,email; classtype:sdf; sid:5; gid:138; rev:1;) It's triggering on an HTTP request to get the favicon. GET /favicon.ico HTTP/1.1 I was wondering if anyone else has had this problem or if there was something I was missing. I've also got a unified2 output, but I wasn't sure if I would be able to attach it or not. Thanks, Jay ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- sensitive-data email alerts Jay Hirata (Aug 01)
- Re: sensitive-data email alerts waldo kitty (Aug 01)