Snort mailing list archives
Re: getting sensitive-data cc# alert to fire
From: "jason" <jason () mangdub com>
Date: Mon, 3 Feb 2014 08:37:00 -0500
Thanks for replying James
Try adding -k none to your command line.
I was using –knone so I changed that but still no hits… /usr/local/bin/snort -c /etc/snort/snort.conf -Acmg -k none -r /tmp/snort_pcap_dump.cap 2> /dev/null /usr/local/bin/snort -c ./snort-2.9.5.3/etc/snort.conf -Acmg -k none -r /tmp/snort_pcap_dump.cap 2> /dev/null This seems to work for everyone right out of the box so I am really at a loss why I can’t get it alerting… I’m using 2.9.5.3 but will try a fresh install of 2.9.6 and try again. Again much thanks! Kind regards, Jason From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Monday, February 03, 2014 8:01 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire On Mon, 2014-02-03 at 07:30 -0500, jason wrote: I found this old thread about getting the alerts to fire with a single hit (I can't get it to alert at all): http://seclists.org/snort/2011/q1/983 I ran my pcap dump (contains CC#'s in the payload) through snort and still no hits: $ /usr/local/bin/snort -c /etc/snort/snort.conf -Acmg -knone -r /tmp/snort_pcap_dump.cap 2> /dev/null I then tried running it using the generic snort.conf and still no alert: /usr/local/bin/snort -c ./snort-2.9.5.3/etc/snort.conf -Acmg -knone -r /tmp/snort_pcap_dump.cap 2> /dev/null Here is a packet in the dump file that was captured with the fake CC#'s: 0000 00 12 da bd 7a d8 00 23 e9 3e 95 47 81 00 0f fe ....z..# ..>.G.... 0010 08 00 45 00 00 e2 b6 35 40 00 3f 06 b6 4a cc 5d ..E....5 @.?..J.] 0020 80 87 40 b3 40 fe ef 2e 00 15 53 7a fd 48 e6 99 ..@.@... ...Sz.H.. 0030 73 60 80 18 00 1d 4c fc 00 00 01 01 08 0a 5b da s`....L. .......[. 0040 8c 6f 1c 74 2a af 36 30 31 31 31 31 31 31 31 31 .o.t*.60 11111111 0050 31 31 31 31 31 37 0a 36 30 31 31 30 30 30 39 39 111117.6 01100099 0060 30 31 33 39 34 32 34 0a 34 31 31 31 2d 31 31 31 0139424. 4111-111 0070 31 2d 31 31 31 31 2d 31 31 31 31 0a 33 37 38 32 1-1111-1 111.3782 0080 38 32 32 34 36 33 31 30 30 30 35 0a 34 31 31 31 82246310 005.4111 0090 31 31 31 31 31 31 31 31 31 31 31 31 0a 34 31 31 11111111 1111.411 00a0 31 31 31 31 31 31 31 31 31 31 31 31 31 0a 34 31 11111111 11111.41 00b0 31 31 2d 31 31 31 31 2d 31 31 31 31 2d 31 31 31 11-1111- 1111-111 00c0 31 0a 36 30 31 31 31 31 31 31 31 31 31 31 31 31 1.601111 11111111 00d0 31 37 0a 36 30 31 31 30 30 30 39 39 30 31 33 39 17.60110 00990139 00e0 34 32 34 0a 33 37 38 32 38 32 32 34 36 33 31 30 424.3782 82246310 00f0 30 30 35 0a 005. In this view the CC#'s are a little scrambled but when I follow the TCP stream in wireshark, they are clearly shown. I am totally at a loss why I can't get this working... anyone have any advice or something else I might be able to look at? Thanks for any help -----Original Message----- From: jason [mailto:jason () mangdub com] Sent: Saturday, February 01, 2014 9:45 AM To: 'Snort-sigs' Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire HI! I'm trying to get the sensitive-data CC# alert to fire but I'm having trouble making it happen. Here's what I'm trying and what I've got: Snort.conf: preprocessor sensitive_data: alert_threshold 3 This is the rule that came with pulledpork but I can't get it to fire: alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) I made this my only rule in snort and I modified it trying to make it easier to fire and alert but still no luck: alert tcp $HOME_NET any -> any any (msg:"SENSITIVE-DATA Credit Card Numbers"; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) I then send a mail or use netcat and send clear text CC#'s but still can't get it to fire. I ran a tcpdump while sending the CC#'s and I can see the CC#'s in the payload (of course). I ran snort with DAQ dump to pcap and that sees the CC#'s too! /usr/local/bin/snort -i eth0.4094 -Q --daq dump --daq-var load-mode=passive --daq-var file=/tmp/snort_pcap_dump.cap Could it be something with my Stream5 config? Is my testing method whack? I'm missing something simple I think... Thanks for any advice # sorry if this becomes a duplicate - I get all the mail so I thought I was a member already but I got bounce saying I wasn't... so I signed up again and I'm reposting this and cancelled the original. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ---------------------------------------------------------------------------- -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991 <http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231 <http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Try adding -k none to your command line. James --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: getting sensitive-data cc# alert to fire jason (Feb 01)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Joel Esler (jesler) (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire rmkml (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Y M (Feb 04)
- Re: getting sensitive-data cc# alert to fire jason (Feb 11)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)