<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Kevin,</div>
<div> </div>
<div>I went in to do some testing and noticed that dlptest.com is using HTTPS. The initial homepage will load with HTTP but redirects to HTTPS. This could be why you are able to get an alert from the headers but not any of the CC data. Are there any other sites you are using that aren't using HTTPS?</div>
<div> </div>
<div>
<div>GET /sample-data/ HTTP/1.1<br/>
User-Agent: Wget/1.17.1 (linux-gnu)<br/>
Accept: */*<br/>
Accept-Encoding: identity<br/>
Host: dlptest.com<br/>
Connection: Keep-Alive</div>
<div> </div>
<div>HTTP/1.1 301 Moved Permanently<br/>
Date: Mon, 26 Jun 2017 15:22:38 GMT<br/>
Server: Apache<br/>
Location: https://dlptest.com/sample-data/<br/>
Cache-Control: max-age=3600<br/>
Expires: Mon, 26 Jun 2017 16:22:38 GMT<br/>
Content-Length: 0<br/>
Keep-Alive: timeout=5, max=100<br/>
Connection: Keep-Alive<br/>
Content-Type: text/html; charset=UTF-8</div>
</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Sunday, June 25, 2017 at 8:04 AM<br/>
<b>From:</b> "Peter Manev" <petermanev@gmail.com><br/>
<b>To:</b> "Kevin Geil" <info@friendandfamilytech.com><br/>
<b>Cc:</b> oisf-users@lists.openinfosecfoundation.org<br/>
<b>Subject:</b> Re: [Oisf-users] Configure Suricata to inspect HTTP body (Detect Credit Cards in clear)?</div>
<div name="quoted-content">
<div>
<div>Hi,</div>
<div id="AppleMailSignature"> </div>
<div><br/>
On 25 Jun 2017, at 15:31, Kevin Geil <<a href="mailto:info@friendandfamilytech.com" onclick="parent.window.location.href='info@friendandfamilytech.com'; return false;" target="_blank">info@friendandfamilytech.com</a>> wrote:<br/>
</div>
<blockquote>
<div>
<div>
<div>
<div>
<div>
<div>Hi, I'm trying to get suricata to detect credit card numbers transmitted in cleartext, and am having some trouble. I am using the rules referenced here: <a href="http://doc.emergingthreats.net/2001375" target="_blank">doc.emergingthreats.net/2001375</a> Through 2001383. I have tested the regexes against my test data, and have confirmed that they match. I'm trying to test using <a href="http://dlptest.com" target="_blank">dlptest.com</a> (and other similar sites), and can't get the rules to fire, using either http or FTP. I have tested Suricata by using suspicious user agent strings, and have confirmed that it's working.</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div> </div>
<div> </div>
<div>How exactly do you do your test exactly ?</div>
<div>If it is simply via visiting via a browser - browser cache may come into play so I suggest using wget instead.</div>
<blockquote>
<div>
<div>
<div>
<div>
<div>
<div> </div>
I haven't found anything in documentation regarding this, but I'm thinking my suricata instance (the one built in to Alienvault's OSSIM) is somehow configured to only look at http and ftp headers. Perhaps that's not my problem at all.<br/>
</div>
In any case, if someone could point me in the right direction on how to get these rules to fire, I'd greatly appreciate it.<br/>
</div>
</div>
</div>
</div>
</blockquote>
<div> </div>
<div>If it is a live test make sure NIC offloading is disabled and the traffic is seen by Suri. You can try to capture a pcap and run against to reproduce if needed.</div>
<div>By the way a plain ip rule with only a pcre inside will decimate your performance on live traffic.</div>
<div> </div>
<div>Thanks</div>
<div> </div>
<div> </div>
<blockquote>
<div>
<div>
<div>Thank you.<br/>
</div>
Kevin</div>
</div>
</blockquote>
<blockquote>
<div><span>_______________________________________________</span><br/>
<span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@openinfosecfoundation.org'; return false;" target="_blank">oisf-users@openinfosecfoundation.org</a></span><br/>
<span>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a></span><br/>
<span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span></div>
</blockquote>
_______________________________________________ Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></div>
</div>
</div>
</div>
</div></div></body></html>