Snort v2.5.0 sensitive data question
-
I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".
So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!
-
I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".
So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!
Great rule if you want to lock down your network or country….
with it on, this is what I suppress:
# Sensitive Data disable # # Credit Card Numbers #suppress gen_id 138, sig_id 2 # U.S. Social Security Numbers (with dashes) #suppress gen_id 138, sig_id 3 # U.S. Social Security Numbers (w/out dashes) #suppress gen_id 138, sig_id 4 # Email Addresses suppress gen_id 138, sig_id 5 # U.S. Phone Numbers suppress gen_id 138, sig_id 6 -
There are some default rules that come with it
Probably just copy them on to the custom rules and tweak!? -
Once sensitive data is enabled on the WAN interface preprocessors tab, where do you input/copy the custom rules?
-
Good question, since the costum_rules folder is gone… ???
Don't know if that is supposed to work:
exec("/bin/cp {$snortdir}/rules/* {$if_rule_dir}/rules"); if (file_exists("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) @copy("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules", "{$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); -
If you go to the Rules tab on the drop down you will have a custom.rules entry.
You can put those there. -
Ahhh, I see. Thx for that. Iwas copying my rules on the shell before. That makes things much easier.
Greets, Judex
-
Could you please point me to that "default rules"? Where can i find them? There are no sensitive data rules…
-
cat /usr/local/etc/snort/preproc_rules/sensitive-data.rules alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)