Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problem with sensitive-data:email addresses rule

From: Gregory Pendergast <greg.pendergast () gmail com>
Date: Sat, 30 Mar 2013 11:24:14 -0400
I've just set up my security-onion system to include the VRT
Registered User rule. I'm getting a bunch of hits on 138:5
Sensitive-data email addresses, but the direction is wrong.

The rule says $HOME_NET -> $EXTERNAL_NET but the alerts I'm getting
are in the opposite direction. The traffic flow is $EXTERNAL_NET ->
$HOME_NET.

Since I just added the VRT rules, this could be happening for other
things and I just haven't found it yet.

In snort.conf, my EXTERNAL_NET = !$HOME_NET and the SecurityOnion
sensors are running Snort 2.9.3.1.

Any ideas as to what could be wrong? I didn't encounter this problem
when using only the ETPRO rules.

Thanks,
Greg

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: