Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 4 Jun 2010 09:58:35 -0400
We have the same issue. I know this preprocessor is new, and while it has huge potential, there are some challenges with it. 1. Long strings of numbers trigger false positives. ex. I saw this in some web traffic trigger the "SENSITIVE-DATA U.S. Social Security Numbers w/out dashes" rule... --10 05/25/2010 STBT 93 93 1 0 3780089812 3780089905 [2 non-ASCII characters] ---- 05/25/2010 RTL 68 0 1 0 3780089812 3780089905 [2 non-ASCII characters] --11 05/24/2010 STBT 122 122 73 0 3780089689 3780089811 [2 non-ASCII characters] ---- 05/24/2010 RTL 81 81 73 0 3780089689 3780089811 [2 non-ASCII characters] --13 05/22/2010 STBT 123 123 92 1 3780089566 3780089688 In those strings there might be consecutive 9 digits that could be a SSN but the strings them selves are too long making it unlikely they are actually SSNs. An option to say it has to be exactly 9 digits to be considered a SSN would help with this. 2. You can only have 1 rule with each default pattern type. ex. alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers with dashes"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) You can NOT split that like so... alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"SENSITIVE-DATA U.S. Social Security Numbers with dashes HTTP"; metadata:service http; sd_pattern:2,us_social; classtype:sdf; sid:10; gid:138; rev:1;) alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"SENSITIVE-DATA U.S. Social Security Numbers with dashes SMTP"; metadata:service smtp; sd_pattern:2,us_social; classtype:sdf; sid:11; gid:138; rev:1;) If you try you get this error... ERROR: Sensitive Data rule 138:11 uses a pattern that duplicates rule 138:10. Fatal Error, Quitting.. Being able to split them would provide more targeted detection. 3. From the README.sensitive_data.bz2 Caveats: sd_pattern is not compatible with other rule options. Trying to use other rule options with sd_pattern will result in an error message. This makes it difficult to write rules that will not pick up on things like cookie strings. Wally On Fri, Jun 4, 2010 at 8:39 AM, Joel Esler <jesler () sourcefire com> wrote:
Take a look at the sensitive-data.rules as well as the README for the sensitive data preprocessor to see how you can write your own rules, etc, to detect what you'd like. The rules are great examples, you can build from there. On Jun 3, 2010, at 6:06 PM, Lawrence R. Hughes, Sr. wrote: Hi, When we enable the "preprocessor sensitive_data", we are getting alerts for everyday cookies. Is there a way to tighten this up or disable the cookies from being detected? -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)