Re: [Snort-users] help writing snort rule

[Matt Jonkman <jonkman@bleedingthreats.net>]

We've got a set of SSN sigs already at bleeding edge:

http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_SSN_in_the_Clear?view=markup

As well as other similar, EIN, irs stuff, all sorts of goodies in the
policy ruleset.

Matt

Bill Lopez wrote:
> Trying to write a simple rule to parse for SSN in plain text – what am I
> doing wrong??
> 
>  
> 
>  
> 
>  
> 
> alert ip any any -> $EXTERNAL_NET any
> (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
> Text"; sid: 1000004 )
> 
>  
> 
>  
> 
> rule returns this error
> 
>  
> 
> ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5
> 
>    (Snort rules must be contained on a single line or
> 
>     on multiple lines with a '\' continuation character
> 
>     at the end of the line,  make sure there are no
> 
>     carriage returns before the end of this line)
> 
> Fatal Error, Quitting..
> 
>  
> 
> Have tried multiple versions of pcre string but always return the same
> error..
> 
>  
> 
> Bill Lopez
> 
> Operating Engineers Trust Funds
> 
> (626) 356-3524
> 
> (626) 255-1066
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users