Snort mailing list archives

Previous By Date Next
Previous By Thread Next

sensitive-data email alerts

From: Jay Hirata <jhirata () cmlab biz>
Date: Thu, 01 Aug 2013 16:44:50 -0600
Hi,

I've got the following rule in my local.rules file:

        alert tcp $EXTERNAL_NET any -> $HOME_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; 
metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:1,email; classtype:sdf; 
sid:5; gid:138; rev:1;)


It's triggering on an HTTP request to get the favicon.

        GET /favicon.ico HTTP/1.1

I was wondering if anyone else has had this problem or if there was 
something I was missing. I've also got a unified2 output, but I wasn't 
sure if I would be able to attach it or not.

Thanks,
Jay


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: