Thank you for the quick response to my question.
I don’t want to keep asking elementary questions in
this forum if its not appropriate, please let me know if this isn’t the
proper place and direct me to where I can ask basic questions.
I wasn’t able to get an alert on the bleeding rule
alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype: policy-violation; sid: 2001328; rev:8; )
thus the reason for trying to write my own with a small variance
in the character string –
alert ip any any ->
$EXTERNAL_NET any (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/";
msg:"SSN Detected in Clear Text"; sid: 1000004;)
which doesn’t produce an alert either – eventually
I want to apply this filter to just traffic from/to mail , telnet, ftp (etc)
servers – I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx
xx xxxx via an e-mail, text file attachment or file upload and still never see
an alert to the console. I have a simple rule to check for content using
a keyword and get alerted when sending that keyword with e-mail, attachment and
file upload (this was my test to see if snort was actually alerting
correctly) I am only running my test rules with an out of the box
snort.conf file.
Why wouldn’t either of the above rules alert with (for
example) an e-mail sent with 555-55-5555 in the body?
Bill Lopez
Operating Engineers Trust Funds
(626) 356-3524
(626) 255-1066