Re: Detect Credit Card number in attached file

["Russ Combs (rucombs)" <rucombs () cisco com>]

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Friday, March 21, 2014 2:00 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

 rule-update script is a normal script you run every time you add a new rule to your local rules.It restart Snort. But, 
what do you think about rule itself? Am I missing something?

The rule is fine to demonstrate that Snort is detecting on the attachment.  Not sure why it stops firing though.  Do 
you have any event filters / thresholds?

Actually, are you sure Snort is still running when this rule stops firing?

Are you just replaying the same pcap over and over or is this happening with live traffic?


On Friday, March 21, 2014 1:48 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Friday, March 21, 2014 8:45 AM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

Excellent point Russ, so I had a rule in place like below for a while, here is a rule :
alert tcp any any -> (msg:"Credit card numbers sent over 
email";file_data;pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/";content:"mastercard";sid:9001215;rev:1)
With having this rule in place, what happens is, as soon as putting this rule in place and run /usr/bin/rule-update, I 
can see snort detects a mastercard credit card even if it is in a attached file, but the problem is this rule just 
works for 1 or 2 minutes and after that it stops detecting credit card and if I want to get it to work I have to run 
/usr/bin/rule-update again and have it working again for 1 or 2 minutes as I said.
I would like to know why this happens, and if we can get this to work.
thanks,

What does your rule-update script do?  Does it restart Snort or reload configuration w/o restart?


On Thursday, March 20, 2014 5:25 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
Just to help narrow down the problem, can you write a file_data rule to match a credit card number in the email 
attachment to see if it fires?

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Thursday, March 20, 2014 3:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Detect Credit Card number in attached file

Hello,

I have a rule in place to detect credit card information that are passing through my network. Here is a rule:

Alert tcp any any -> any any (msg:”Credit card number over 
email”;gid:138;sid:1000;rev:1;sd_pattern:2,credit_card;metadata:service smtp;)

With having this rule in place, snort  detects credit card number that are clear text and are in the body of email, but 
if credit card numbers are inside the attached file in email, snort does not detect that.

Any idea how  we can get this to work.

Thanks,






------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!