Snort mailing list archives

Re: Testing Snort

From: JJC <cummingsj () gmail com>
Date: Thu, 31 Jan 2013 14:37:05 -0500

I would suggest reading through the sensitive data preprocessor documentation and modifying the rules to fit your 
policy requirements...

Sent from my iPad

On Jan 31, 2013, at 14:28, Jeremy Hoel <jthoel () gmail com> wrote:

So the ET ruleset has some policy rules for Credit cards and SSN's
passed in the clear.  You might check those out to see if they meet
your needs.

sid-msg.map:2001328 || ET POLICY SSN Detected in Clear Text (dashed)
|| url,doc.emergingthreats.net/2001328
sid-msg.map:2001384 || ET POLICY SSN Detected in Clear Text (spaced)
|| url,doc.emergingthreats.net/2001384
sid-msg.map:2007971 || ET POLICY SSN Detected in Clear Text (SSN ) ||
url,doc.emergingthreats.net/2007971
sid-msg.map:2007972 || ET POLICY SSN Detected in Clear Text (SSN# ) ||
url,doc.emergingthreats.net/2007972
sid-msg.map:2015952 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3
id-msg.map:2001375 || ET POLICY Credit Card Number Detected in Clear
(16 digit spaced) || url,doc.emergingthreats.net/2001375 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001376 || ET POLICY Credit Card Number Detected in Clear
(16 digit dashed) || url,doc.emergingthreats.net/2001376 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001377 || ET POLICY Credit Card Number Detected in Clear
(16 digit) || url,doc.emergingthreats.net/2001377 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001378 || ET POLICY Credit Card Number Detected in Clear
(15 digit) || url,doc.emergingthreats.net/2001378 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001379 || ET POLICY Credit Card Number Detected in Clear
(15 digit spaced) || url,doc.emergingthreats.net/2001379 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001380 || ET POLICY Credit Card Number Detected in Clear
(15 digit dashed) || url,doc.emergingthreats.net/2001380 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001381 || ET POLICY Credit Card Number Detected in Clear
(14 digit) || url,doc.emergingthreats.net/2001381 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001382 || ET POLICY Credit Card Number Detected in Clear
(14 digit spaced) || url,doc.emergingthreats.net/2001382 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2001383 || ET POLICY Credit Card Number Detected in Clear
(14 digit dashed) || url,doc.emergingthreats.net/2001383 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2002477 || ET DELETED SMTP Credit Card, JCB ||
url,doc.emergingthreats.net/bin/view/Main/2002477
sid-msg.map:2002488 || ET DELETED SMTP Credit History ||
url,doc.emergingthreats.net/bin/view/Main/2002488
sid-msg.map:2002561 || ET DELETED HTTP - Credit Card, JCB ||
url,doc.emergingthreats.net/bin/view/Main/2002561
sid-msg.map:2002572 || ET DELETED HTTP - Credit History ||
url,doc.emergingthreats.net/bin/view/Main/2002572
sid-msg.map:2002642 || ET DELETED High Ports - Credit Card, JCB ||
url,doc.emergingthreats.net/2002642
sid-msg.map:2002653 || ET DELETED High Ports - Credit History ||
url,doc.emergingthreats.net/2002653
sid-msg.map:2009293 || ET POLICY Credit Card Number Detected in Clear
(15 digit spaced 2) || url,doc.emergingthreats.net/2009293 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2009294 || ET POLICY Credit Card Number Detected in Clear
(15 digit dashed 2) || url,doc.emergingthreats.net/2009294 ||
url,www.beachnet.com/~hstiles/cardtype.html
sid-msg.map:2013244 || ET CURRENT_EVENTS Known Injected Credit Card
Fraud Malvertisement Script ||
url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-card

What you are looking for is more of a data leakage protection (DLP)
.You might find this useful for other OS tools that might solve your
problem better
http://www.chrisbrenton.org/wp-content/uploads/2010/01/poor-mans-dlp.pdf

On Wed, Jan 30, 2013 at 4:10 PM, Josh Bitto <jbitto () onlineschool ca> wrote:

Hmmm…..now I have another question…lol…it’s hump day (middle of the week)



Is there a program out there that works with snort in a way to capture data
from users…..let’s say…sensitive data rule gets fired (example Email
Addresses) and we want to make sure that whatever rule that is….the content
lines up with company policy.



I know of wireshark, but that is just packets…











From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Wednesday, January 30, 2013 12:52 PM
To: Josh Bitto
Cc: Jeremy Hoel; Snort Users


Subject: Re: [Snort-users] Testing Snort



On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto () onlineschool ca> wrote:



1. The rules update....I obtained the oinkmaster code and put it in. It has
the option to update at certain time every 12 hours for example.....Does it
automatically do that or do I have to buy a subscription for that to
actually work? I know the definitions will be 30 days old for just a regular
registered user, but still.



You'd probably want to cron it.



2. Back to the rules search....ok I searched a couple of SID numbers and it
came back as "this rule as been deprecated and placed into deleted.rules"
Should I suppress that or is my definitions outdated?



Your definitions may be outdated.  When we delete a rule, it usually because
it's no longer useful or it's been replaced by better detection.



--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Testing Snort, (continued)
- - - Re: Testing Snort Justin Knox (Jan 30)
    - Re: Testing Snort Russ Combs (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Joel Esler (Jan 30)
    - Re: Testing Snort Jeremy Hoel (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Joel Esler (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Jeremy Hoel (Jan 31)
    - Re: Testing Snort JJC (Jan 31)