Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 4 Jun 2010 11:52:10 -0400
Ah, that explains it. The preprocessor marks which sections of the packet need to be X'd out, but it's the job of the output plugin to actually log the obfuscated version of the packet. The MySQL output plugin did not get updated. In general, the MySQL output plugin is not heavily supported. Using it is detrimental to performance, anyway. Snort can't process the next packet while it waits for the MySQL plugin to finish its database insert. When you get the chance, I would suggest you switch to Unified2 (which does obfuscation), and use Barnyard2 (http://www.securixlive.com/barnyard2/index.php) to handle your database inserts. -Ryan P.S. That counts as your regularly-scheduled database output plugin question. On Fri, Jun 4, 2010 at 11:36 AM, Ron Jenkins <rjenkins () rmjcs net> wrote:
Database to MySQL Below is the Preprocessor config too. # SDF sensitive data preprocessor. For more information see README.sensitive_data preprocessor sensitive_data: alert_threshold 25 \ mask_output Thx -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Friday, June 04, 2010 10:32 AM To: Ron Jenkins Cc: Jason Wallace; snort-users () lists sourceforge net Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0) Ron, Which output plugin are you using? If you are getting some obfuscation, but in the wrong spot, this is also a known bug that will be fixed. -Ryan On Fri, Jun 4, 2010 at 11:22 AM, Ron Jenkins <rjenkins () rmjcs net> wrote:Good morning; Also the mask out option does not appear to work either. Thx Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA) RMJ Consulting, LLC. "Bringing Companies and Solutions Together" Owner / Senior Architect Physical Address 11715 Bricksome Ave STE B-7 Baton Rouge, LA 70816 Mail Address 7575 Jefferson Hwy #103 Baton Rouge, LA 70806 Office. 225-448-5214 Fax. 225-448-5324 Cell. 225-931-1632 Email. rjenkins () rmjconsulting net Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/> http://www.linkedin.com/in/ronmjenkins -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Friday, June 04, 2010 9:40 AM To: Jason Wallace Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0) Jason, Your concerns are all definitely valid. On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:We have the same issue. I know this preprocessor is new, and while ithas huge potential, there are some challenges with it.1. Long strings of numbers trigger false positives.This was a bug in the Release Candidate. As of Snort 2.8.6 final, both the "us_social" and "us_social_nodashes" patterns require a non-digit on both sides of the number. Have you seen this problem since upgrading to the release version?2. You can only have 1 rule with each default pattern type.I have a bug sitting in my Bugzilla queue right now to go back and fix this. Expect a change in the next major Snort release.3. From the README.sensitive_data.bz2Caveats:sd_pattern is not compatible with other rule options. Trying to useother rule options with sd_pattern will result in an error message.This one is not expected to change in the next release. I'll try to explain briefly. Normally, when a rule is parsed, it gets broken into sections and thrown into a "tree" with the other rules. Then, after all the preprocessors are done running on a packet, Snort goes through this tree and starts matching rules against the packet. When a sensitive data rule gets parsed, it does not go in the tree with the other rules. Instead, the Sensitive Data preprocessor becomes responsible for matching patterns and firing alerts. This gets done before the rest of the rules are even evaluated. I have an idea or two for organizing things differently so that this isn't a problem, but it's not a quick fix, and thus not very high on my list of priorities right now. I will try to get to it as time allows. -Ryan ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)