Snort mailing list archives
Re: getting sensitive-data cc# alert to fire
From: "jason" <jason () mangdub com>
Date: Mon, 3 Feb 2014 20:40:49 -0500
Thanks for that - I was using 2> /dev/null from the troubleshooting steps in that 2011 thread I found: http://seclists.org/snort/2011/q1/983 in that thread he uses 2> and gets the alert and the output? They did add LOG_ERR to the syslog config to fix their issue which I tried as well: output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR When I run this again using 1> I get all the snort config output but still no alerts. My 1 rule (to rule them all): alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf; msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001; rev:2;) Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules Sensitive Data preprocessor config: Global Alert Threshold: 3 Masked Output: DISABLED I'm now wondering if the stream is not being reassembled properly and therefore doesn't trip the luhn algorithm. I'm going to play with Stream5 depth/length settings next but any other insights are of course welcome as I try to get this working. Again thanks all for the replies, it's really appreciated :) I will update if I make any headway Jason -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Monday, February 03, 2014 7:17 PM To: rmkml; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire On 2/3/2014 5:06 PM, rmkml wrote:
Sorry for disturb,
no problem, rm... you are welcome to jump in any time, my friend ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ---------------------------------------------------------------------------- -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: getting sensitive-data cc# alert to fire jason (Feb 01)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Joel Esler (jesler) (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire rmkml (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Y M (Feb 04)
- Re: getting sensitive-data cc# alert to fire jason (Feb 11)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)