Snort mailing list archives
Re: getting sensitive-data cc# alert to fire
From: "jason" <jason () mangdub com>
Date: Tue, 11 Feb 2014 15:56:45 -0500
Sorry I didn't update, been busy with other stuff..
config disable_decode_alerts was uncommented in my snort.conf so I commented
it and now I see decode alerts where previously I did not. I thought for
sure this was going to help me but I STILL can't get snort to fire an alert
when I transmit CC#'s.
I played with the syslog settings and when I have all my rules enabled
(including the 4 sensitive-data rules that come by default) I am seeing
alerts like this:
sensitive_data: sensitive data global threshold exceeded
[139:1:1] (spp_sdf) SDF Combination Alert [Classification: Senstive Data]
[Priority: 2] {PROTO:254} xx.xx.xx.xx -> xx.xx.xx.xx
But I can't find any packets or payloads captured. I'm thinking the SDF
Combination Alert is when 2 or more different sensitive-data alerts (like
CC#'s and social security numbers for example) are tripped and is
informational only? This alert doesn't get picked up by Barnyard but the
global threshold exceeded alerts do - they also don't have captured
payloads.
Here's what I capture with tcpdump and reassembling but I never see Snort
capture any of this:
220 BN1BFFO11FD022.xxxxxxxxx.com Microsoft ESMTP MAIL Service ready at Thu,
6 Feb 2014 16:39:35 +0000
EHLO outgoing.xxxxxxxxxx.net
250-BN1BFFO11FD022.mail.xxxxxx.xxxxxx.com Hello [xx.xx.xx.xx]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
MAIL FROM:<me () foo com> SIZE=1336
RCPT TO:<me () foo com> ORCPT=rfc822;me () foo com
DATA
250 2.1.0 Sender OK
250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
Received: from blade1-0?xxxxxxx.net (unknown [10.0.2.87])
.by outgoing.xxxxxxxxxx.net (Postfix) with SMTP id DD33849924BC
.for <me () foo com>; Thu, 6 Feb 2014 16:39:15 +0000 (GMT)
Message-Id: <20140206163921.DD33849924BC@ outgoing.xxxxxxxxxx.net>
Date: Thu, 6 Feb 2014 16:39:15 +0000 (GMT)
From: me () foo com
To: undisclosed-recipients:;
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
4111111111111111
4111-1111-1111-1111
4660105464387620
QUIT
250 2.6.0 <20140206163921.DD33849924BC () outgoing xxxxxxx net>
[InternalId=8452495646426, Hostname=BN1PR05MB264.namprd05.xxxxxxxxx.com]
Queued mail for delivery
221 2.0.0 Service closing transmission channel
I've also tried sending email addresses via mail and using netcat. I even
tried sending a fake CC# in the email header like: helo 4111111111111111
I grabbed a new box and I installed Centos6.4 and snort 2.9.6 and I only
changed the alert_syslog and commented out config disable_decode_alerts in
snort.conf I also made sure that threshold.conf is empty and not loading
pulledpork disablesid.conf.
I changed the CC# rule to:
alert tcp any any <> any any (msg:"SENSITIVE-DATA Credit Card Numbers";
sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
and I changed the Email address rule to:
alert tcp any any <> any any (msg:"SENSITIVE-DATA Email Addresses";
metadata:service http, service smtp, service ftp-data, service imap, service
pop3; sd_pattern:1,email; classtype:sdf; sid:5; gid:138; rev:1;)
this is a totally fresh install and the interface sees very little traffic
but I still can't get an alert out of it! I can only get that vague alert
about the threshold being exceeded but I don't even think my testing is
tripping that.
This is killing me because I know this should be working and shouldn't be
this much trouble to test/confirm.
Any other ideas are welcome
thanks
From: Y M [mailto:snort () outlook com]
Sent: Tuesday, February 04, 2014 4:05 AM
To: jason () mangdub com
Cc: snort-sigs
Subject: RE: [Snort-sigs] getting sensitive-data cc# alert to fire
Hi Jason,
Does your snort.conf has this line disabled (commented)?
config disable_decode_alerts
From the documentation ( <http://manual.snort.org/node18.html>
http://manual.snort.org/node18.html): "if config disable_decode_alerts is in snort.conf, decoder events will not be generated regardless of whether or not there are corresponding rules for the event." Thanks YM
From: <mailto:jason () mangdub com> jason () mangdub com To: <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
Date: Mon, 3 Feb 2014 20:40:49 -0500 Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire Thanks for that - I was using 2> /dev/null from the troubleshooting steps
in
that 2011 thread I found: <http://seclists.org/snort/2011/q1/983>
http://seclists.org/snort/2011/q1/983
in that thread he uses 2> and gets the alert and the output? They did add LOG_ERR to the syslog config to fix their issue which I tried as well: output alert_syslog: LOG_AUTH LOG_ALERT LOG_ERR When I run this again using 1> I get all the snort config output but still no alerts. My 1 rule (to rule them all): alert tcp any any <> any any (sd_pattern:1,credit_card; classtype:sdf; msg:"Credit Card number detected in plaintext"; gid:138; sid:8000001; rev:2;) Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules Sensitive Data preprocessor config: Global Alert Threshold: 3 Masked Output: DISABLED I'm now wondering if the stream is not being reassembled properly and therefore doesn't trip the luhn algorithm. I'm going to play with Stream5 depth/length settings next but any other insights are of course welcome as I try to get this working. Again thanks all for the replies, it's really appreciated :) I will update if I make any headway Jason -----Original Message----- From: waldo kitty [ <mailto:wkitty42 () windstream net>
mailto:wkitty42 () windstream net]
Sent: Monday, February 03, 2014 7:17 PM To: rmkml; <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] getting sensitive-data cc# alert to fire On 2/3/2014 5:06 PM, rmkml wrote:Sorry for disturb,no problem, rm... you are welcome to jump in any time, my friend ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted.
----------------------------------------------------------------------------
-- Managing the Performance of Cloud-Based Applications Take advantage of
what
the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper.
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr k> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list <mailto:Snort-sigs () lists sourceforge net>
Snort-sigs () lists sourceforge net
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<http://www.snort.org> http://www.snort.org Please visit <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort!
--- This email is free from viruses and malware because avast! Antivirus
protection is active.
<http://www.avast.com> http://www.avast.com
---------------------------------------------------------------------------- --
Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper.
<http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktr k> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list <mailto:Snort-sigs () lists sourceforge net>
Snort-sigs () lists sourceforge net
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<http://www.snort.org> http://www.snort.org Please visit <http://blog.snort.org> http://blog.snort.org for the latest
news about Snort! --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: getting sensitive-data cc# alert to fire jason (Feb 01)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Joel Esler (jesler) (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire rmkml (Feb 03)
- Re: getting sensitive-data cc# alert to fire waldo kitty (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)
- Re: getting sensitive-data cc# alert to fire Y M (Feb 04)
- Re: getting sensitive-data cc# alert to fire jason (Feb 11)
- Re: getting sensitive-data cc# alert to fire James Lay (Feb 03)
- Re: getting sensitive-data cc# alert to fire jason (Feb 03)