i'm overwhelmed by Sensitive Data related alerts.


alert file:

[**] [138:5:1] SENSITIVE-DATA Email Addresses [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
04/17-07:41:46.392038 95.211.82.184:80 -> 192.168.10.70:1360
TCP TTL:128 TOS:0x0 ID:3097 IpLen:20 DgmLen:16992 DF
***A**** Seq: 0x6E3D19E5 Ack: 0x5108FB25 Win: 0xFFFF TcpLen: 20

[**] [139:1:1] SDF_COMBO_ALERT [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
04/17-07:41:46.393672 95.211.82.184 -> 192.168.10.70
PROTO:254 TTL:128 TOS:0x0 ID:3098 IpLen:20 DgmLen:56 DF

[**] [139:1:1] SDF_COMBO_ALERT [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
04/17-07:41:46.847266 95.211.82.184 -> 192.168.10.70
PROTO:254 TTL:128 TOS:0x0 ID:3116 IpLen:20 DgmLen:56 DF

[**] [138:5:1] SENSITIVE-DATA Email Addresses [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
04/17-07:41:46.847266 95.211.82.184:80 -> 192.168.10.70:1363
TCP TTL:128 TOS:0x0 ID:3116 IpLen:20 DgmLen:6455 DF
***AP*** Seq: 0x91DC0473 Ack: 0x9C3CEA16 Win: 0xFDC0 TcpLen: 20



log file:

04/17-07:41:46.393672 95.211.82.184 -> 192.168.10.70
PROTO:254 TTL:128 TOS:0x0 ID:3098 IpLen:20 DgmLen:56 DF
53 45 4E 53 49 54 49 56 45 2D 44 41 54 41 20 45 SENSITIVE-DATA E
6D 61 69 6C 20 41 64 64 72 65 73 73 65 73 3A 20 mail Addresses:
20 32 35 00 25.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+

04/17-07:41:46.847266 95.211.82.184 -> 192.168.10.70
PROTO:254 TTL:128 TOS:0x0 ID:3116 IpLen:20 DgmLen:56 DF
53 45 4E 53 49 54 49 56 45 2D 44 41 54 41 20 45 SENSITIVE-DATA E
6D 61 69 6C 20 41 64 64 72 65 73 73 65 73 3A 20 mail Addresses:
20 32 35 00 25.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+

04/17-07:41:47.610476 95.211.82.184 -> 192.168.10.70
PROTO:254 TTL:128 TOS:0x0 ID:3148 IpLen:20 DgmLen:56 DF
53 45 4E 53 49 54 49 56 45 2D 44 41 54 41 20 45 SENSITIVE-DATA E
6D 61 69 6C 20 41 64 64 72 65 73 73 65 73 3A 20 mail Addresses:
20 32 35 00 25.


1- how do i know that between 139:1:1 and 138:5:1 , which one related to Sensitive Data Preprocessor?

2-why even requesting a jpg file result to SDF alert fired? i mean sdf needs 25 matched patterns to alert, if i understand correctly.

3- is this true that some alerts also log data but some not? like 139:1:1, not log data, but 138:5:1 do.

4- beside time stamp how could i find related log of specific alert?


i'll appreciate the answers.