Re: Detect Credit Card number in attached file

["Russ Combs (rucombs)" <rucombs () cisco com>]

What about the total number of packets analyzed and the protocol breakdown numbers.  Are those changing?

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Monday, March 31, 2014 1:58 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

I did run that but do not see any change. Something should conflict or disable my rule. Any other idea?


On Thursday, March 27, 2014 12:08 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
Something like:

kill -s usr1 `pidof snort`

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Thursday, March 27, 2014 11:55 AM
To: hosein izadi; Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

Could you please tell me what command exactly I need to run? dump stats has different argument, and also I have never 
used it before.
Thanks,


On Monday, March 24, 2014 5:12 PM, hosein izadi <fhoseinh () yahoo com> wrote:
I can say Snort is running because it is firing for other alerts. I did not setup any event filter otherwise it would 
never fire, but this fires as soon as I update the rule. I found something that I better share here. In snort manual I 
found this document:
3.5.25 file_data
This option sets the cursor used for detection to one of the following buffers: 1. When the traffic being detected is 
HTTP it sets the buffer to, a. HTTP response body (without chunking/compression/normalization) b. HTTP de-chunked 
response body c. HTTP decompressed response body (when inspect_gzip is turned on) d. HTTP normalized response body 
(when normalized_javascript is turned on) e. HTTP UTF normalized response body (when normalize_utf is turned on) f. All 
of the above 2. When the traffic being detected is SMTP/POP/IMAP it sets the buffer to, a. SMTP/POP/IMAP data body 
(including Email headers and MIME when decoding is turned off) b. Base64 decoded MIME attachment (when b64_decode_depth 
is greater than -1) c. Non-Encoded MIME attachment (when bitenc_decode_depth is greater than -1) d. Quoted-Printable 
decoded MIME attachment (whenqp_decode_depth is greater than -1) e. Unix-to-Unix decoded attachment (when 
uu_decode_depth is greater than -1)
Any relative or absolute content matches (without HTTP modifiers or rawbytes) and payload detecting rule options that 
follow file_data in a rule will apply to this buffer until explicitly reset by other rule options.
This rule option can be used several time in a rule.
The argument mime to file_data is deprecated. The rule options file_data will itself point to the decoded MIME 
attachment.

Doesn't this simply means that cursor's position changes every time we have a new traffic? So, when  I restart snort, 
and send email immediately to test the rule, it fires but after that as soon as seeing other traffic on wire like HTTP, 
It changes the cursor to another buffer. But I do not know why it does not get cursor back next time it sees SMTP 
traffic and fire for that.

Also, I simply send email over network to see if it fires up or not.

Thanks,



On Monday, March 24, 2014 3:28 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Friday, March 21, 2014 2:00 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

 rule-update script is a normal script you run every time you add a new rule to your local rules.It restart Snort. But, 
what do you think about rule itself? Am I missing something?

The rule is fine to demonstrate that Snort is detecting on the attachment.  Not sure why it stops firing though.  Do 
you have any event filters / thresholds?

Actually, are you sure Snort is still running when this rule stops firing?

Are you just replaying the same pcap over and over or is this happening with live traffic?



On Friday, March 21, 2014 1:48 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Friday, March 21, 2014 8:45 AM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Detect Credit Card number in attached file

Excellent point Russ, so I had a rule in place like below for a while, here is a rule :
alert tcp any any -> (msg:"Credit card numbers sent over 
email";file_data;pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/";content:"mastercard";sid:9001215;rev:1)
With having this rule in place, what happens is, as soon as putting this rule in place and run /usr/bin/rule-update, I 
can see snort detects a mastercard credit card even if it is in a attached file, but the problem is this rule just 
works for 1 or 2 minutes and after that it stops detecting credit card and if I want to get it to work I have to run 
/usr/bin/rule-update again and have it working again for 1 or 2 minutes as I said.
I would like to know why this happens, and if we can get this to work.
thanks,

What does your rule-update script do?  Does it restart Snort or reload configuration w/o restart?


On Thursday, March 20, 2014 5:25 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
Just to help narrow down the problem, can you write a file_data rule to match a credit card number in the email 
attachment to see if it fires?

________________________________
From: hosein izadi [fhoseinh () yahoo com]
Sent: Thursday, March 20, 2014 3:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Detect Credit Card number in attached file

Hello,

I have a rule in place to detect credit card information that are passing through my network. Here is a rule:

Alert tcp any any -> any any (msg:”Credit card number over 
email”;gid:138;sid:1000;rev:1;sd_pattern:2,credit_card;metadata:service smtp;)

With having this rule in place, snort  detects credit card number that are clear text and are in the body of email, but 
if credit card numbers are inside the attached file in email, snort does not detect that.

Any idea how  we can get this to work.

Thanks,









------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!




------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!