Bill,
This is exactly the correct place to ask Snort Rules questions.
I suggest you eliminate the "ip" in the rule. Try replacing it with
TCP or even using the tcp rule that I jotted down.
Grabbing it out of an email should be easy, however an attachement is
not so easy depending upon the type of attachment, for example, if
it's a plaintext document or something, yes, it might grab it, but if
it's written in Word, or maybe a pdf, since those are formatted
differently, it's a bit harder.
So, step one, lets move from ip to tcp, and see how that works.
Also, try and eliminate your any any, perhaps change it to any any to
HOME_NET any
J
On Jan 26, 2007, at 1:58 PM, Bill Lopez wrote:
Thank you for the quick response to my question.
I don’t want to keep asking elementary questions in this forum if
its not appropriate, please let me know if this isn’t the proper
place and direct me to where I can ask basic questions.
I wasn’t able to get an alert on the bleeding rule
alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in
Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73
[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype: policy-violation; sid:
2001328; rev:8; )
thus the reason for trying to write my own with a small variance in
the character string –
alert ip any any -> $EXTERNAL_NET any (pcre:"/\d{3}(\s|-)?\d{2}
(\s|-)?\d{4}/"; msg:"SSN Detected in Clear Text"; sid: 1000004;)
which doesn’t produce an alert either – eventually I want to apply
this filter to just traffic from/to mail , telnet, ftp (etc)
servers – I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx
xx xxxx via an e-mail, text file attachment or file upload and
still never see an alert to the console. I have a simple rule to
check for content using a keyword and get alerted when sending that
keyword with e-mail, attachment and file upload (this was my test
to see if snort was actually alerting correctly) I am only running
my test rules with an out of the box snort.conf file.
Why wouldn’t either of the above rules alert with (for example) an
e-mail sent with 555-55-5555 in the body?
Bill Lopez
Operating Engineers Trust Funds
(626) 356-3524
(626) 255-1066
----------------------------------------------------------------------
---
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to
share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV________________________________
_______________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--Joel
joel.esler@sourcefire.com
http://demo.sourcefire.com/jesler.pgp.key
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
