#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:27 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12;)

Added 2011-10-12 19:10:21 UTC

Example of a false positive, whose pcre does not event match correctly: .........<GUID>799addcd-e329-4fa0-4443-676c4386b20b</GUID>.............<Name>New.Filter</Name>.............<Description>Filter.Description</Description>.............<EventLog>Security</EventLog>.............<Flags>432</Flags>.............<TimeWritten./>.............<EventID>978</EventID>.............<EventType>8</EventType>.............<EventCategory>0</EventCategory>.............<Source>*</Source>.............<User>*</User>.............<Computer>*</Computer>.............<InsertionString.number="9">8</InsertionString>.............<Level></Level>.............<Keywords>0</Keywords>.............<Priority>0</Priority>.........</Filter>.........<Filter>.............<GUID>ddf9647d-700e-1423-9aa0-e989bf580b11</GUID>.............<Name>New.Filter</Name>.............<Description>Filter.Description</Description>.............<EventLog>Security</EventLog>.............<Flags>615</Flags>.............<TimeWritten./>.............<EventID>826</EventID>.............<EventType>8</EventType>.............<EventCategory>0</EventCategory>.............<Source>*</Source>.............<User>*</User>.............<Computer>*</Computer>.............<Level></Level>.............<Keywords>0</Keywords>.............<Priority>0</Priority>.........</Filter>.........<Filter>.............<GUID>013d13aa-4e29-4e2a-a0fd-5daaa51d4432</GUID>.............<Name>New.Filter</Name>.............<Description>Filter.Description</Description>.............<EventLog>Security</EventLog>....

-- RaulDusa - 2014-06-12

In my testing here this string does not match the regex. Do you have a pcap or some more data you could send? Please send to ftrudeau @ emergingthreats . net.

-- FrancisTrudeau - 2014-06-16


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; classtype:policy-violation; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; sid:2001376; rev:12;)

Added 2011-09-14 20:54:53 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; classtype:policy-violation; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001376; rev:12;)

Added 2011-02-04 17:21:26 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001376; rev:12;)

Added 2009-02-11 19:00:24 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001376; rev:12;)

Added 2009-02-11 19:00:24 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001376; rev:11;)

Added 2008-03-08 21:16:18 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001376; rev:11;)

Added 2008-03-08 21:16:18 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001376; rev:11;)

Added 2008-03-08 21:11:53 UTC


#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001376; rev:11;)

Added 2008-03-08 21:11:53 UTC


#alert ip any any -> any any (msg: "ET Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:10;)

Added 2008-01-31 18:48:09 UTC


#alert ip any any -> any any (msg: "ET Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:10;)

Added 2008-01-31 18:48:09 UTC


#alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:9; )



Topic revision: r3 - 2014-06-16 - FrancisTrudeau
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats