[Oisf-users] Configure Suricata to inspect HTTP body (Detect Credit Cards in clear)?

[Peter Manev]

Hi,


> On 25 Jun 2017, at 15:31, Kevin Geil <info at friendandfamilytech.com> wrote:
> 
> Hi, I'm trying to get suricata to detect credit card numbers transmitted in cleartext, and am having some trouble.  I am using the rules referenced here: doc.emergingthreats.net/2001375  Through 2001383.  I have tested the regexes  against my test data, and have confirmed that they match.  I'm trying to test using dlptest.com (and other similar sites), and can't get the rules to fire, using either http or FTP.  I have tested Suricata by using suspicious user agent strings, and have confirmed that it's working.


How exactly do you do your test exactly ?
If it is simply via visiting via a browser - browser cache may come into play so I suggest using wget instead.

> 
> I haven't found anything in documentation regarding this, but I'm thinking my suricata instance (the one built in to Alienvault's OSSIM) is somehow configured to only look at http and ftp headers.  Perhaps that's not my problem at all.
> 
> In any case, if someone could point me in the right direction on how to get these rules to fire, I'd greatly appreciate it.
> 

If it is a live test make sure NIC offloading is disabled and the traffic is seen by Suri. You can try to capture a pcap and run against to reproduce if needed.
By the way a plain ip rule with only a pcre inside will decimate your performance on live traffic.

Thanks



> Thank you.
> 
> Kevin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170625/a39ffc3e/attachment-0002.html>