Snort mailing list archives
Re: Problem with sensitive-data:email addresses rule
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 30 Mar 2013 17:29:02 -0500
On 3/30/2013 17:09, waldo kitty wrote:
On 3/30/2013 10:24, Gregory Pendergast wrote:I've just set up my security-onion system to include the VRT Registered User rule. I'm getting a bunch of hits on 138:5 Sensitive-data email addresses, but the direction is wrong. The rule says $HOME_NET -> $EXTERNAL_NET but the alerts I'm getting are in the opposite direction. The traffic flow is $EXTERNAL_NET -> $HOME_NET.that '->' isn't necessarily the "direction of flow" indicator... there is also "to_server", "from_server", "to_client" and "from_client" modifiers... those are where the real direction is determined and that based on the location of $HOME_NET and $EXTERNAL_NET along with whether '->','<-', or '<>' is used...
i needed to clarify this a bit... alert $EXTERNAL_NET any -> $HOME_NET 80 (flow:to_server;) // to home_net server alert $EXTERNAL_NET any -> $HOME_NET 80 (flow:to_client;) // to external_net client alert $HOME_NET any -> $EXTERNAL_NET 80 (flow:to_server;) // to external_net server alert $HOME_NET any -> $EXTERNAL_NET 80 (flow:to_client;) // to home_net client can you more easily see the differences i was trying to point out? ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with sensitive-data:email addresses rule Gregory Pendergast (Mar 30)
- Re: Problem with sensitive-data:email addresses rule waldo kitty (Mar 30)
- Re: Problem with sensitive-data:email addresses rule waldo kitty (Mar 30)
- Re: Problem with sensitive-data:email addresses rule waldo kitty (Mar 30)