Snort mailing list archives
Re: Detect Credit Card number in attached file
From: hosein izadi <fhoseinh () yahoo com>
Date: Fri, 21 Mar 2014 05:45:26 -0700 (PDT)
Excellent point Russ, so I had a rule in place like below for a while, here is a rule :
alert tcp any any -> (msg:"Credit card numbers sent over
email";file_data;pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/";content:"mastercard";sid:9001215;rev:1)
With having this rule in place, what happens is, as soon as putting this rule in place and run /usr/bin/rule-update, I
can see snort detects a mastercard credit card even if it is in a attached file, but the problem is this rule just
works for 1 or 2 minutes and after that it stops detecting credit card and if I want to get it to work I have to run
/usr/bin/rule-update again and have it working again for 1 or 2 minutes as I said.
I would like to know why this happens, and if we can get this to work.
thanks,
On Thursday, March 20, 2014 5:25 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
Just to help narrow down the problem, can you write a file_data rule to match a credit card number in the email
attachment to see if it fires?
________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Thursday, March 20, 2014 3:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Detect Credit Card number in attached file
Hello,
I have a rule in place to detect credit card information that are passing through my network. Here is a rule:
Alert tcp any any -> any any (msg:”Credit card number over
email”;gid:138;sid:1000;rev:1;sd_pattern:2,credit_card;metadata:service smtp;)
With having this rule in place, snort detects credit card number that are clear text and are in the body of email, but
if credit card numbers are inside the attached file in email, snort does not detect that.
Any idea how we can get this to work.
Thanks,------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detect Credit Card number in attached file hosein izadi (Mar 20)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 20)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 21)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 21)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 21)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 24)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 24)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 27)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 27)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 27)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 31)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 31)
- Re: Detect Credit Card number in attached file hosein izadi (Mar 21)
- Re: Detect Credit Card number in attached file Russ Combs (rucombs) (Mar 20)