Snort mailing list archives
Re: Sensitive Data Preprocessor: logging single matches
From: Victor Roemer <vroemer () sourcefire com>
Date: Tue, 1 Mar 2011 12:41:16 -0500
Hey Erik, So far I'm not able to reproduce the issues you are seeing, Here's my rule alert tcp any any -> any any (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service imap, service pop3; sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) Pcap with 1 (albeit fake) CC number in an http get request is attached, when I run this through snort I generate the following alert 03/01-12:24:46.382944 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} 10.1.2.3:48620 -> 0.0.0.80:8 03/01-12:24:46.382944 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x58 10.1.2.3:48620 -> 0.0.0.80:8 TCP TTL:64 TOS:0x0 ID:4 IpLen:20 DgmLen:74 ***AP*** Seq: 0x2 Ack: 0x2 Win: 0x100 TcpLen: 20 47 45 54 20 2F 74 65 73 74 2E 70 68 70 3F 73 64 GET /test.php?sd 66 3D 35 31 30 34 36 32 37 35 30 34 39 32 58 58 f=510462750492XX 58 58 XX =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Something to keep in mind when running your tests is that the CC numbers are validated against the luhn algorithm and per the README covers Visa, Mastercard, Discover, and American Express. Also when logging in tcpdump binary ( -b ) I received all the data. This is all using 2.9.0.4. Perhaps you could provide more information about your configuration and test data. Thanks! On Tue, Mar 1, 2011 at 11:41 AM, Erik Johnson <ejohnson () vailsys com> wrote:
On Fri, Feb 25, 2011 at 08:59:54PM -0500, Victor Roemer wrote:I think I can clear this up for you. preprocessor sensitive_data: alert_threshold 25 This configuration dictates that after 25 occurrences of ANY combination of sdf rules are hit in a given session will cause SDF_COMBO_ALERT (139:1) to be triggered. Now, regardless of whatever alert_threshold is set to in the preprocessor, your gid:138 rules would still alert based on they're settings.Yeah, I set it back to 25 and was able to confirm that I could trip the GID 138 rules with less than 25. Now, for the specific PII rule your interested in (Credit Cards) thedefault value of count is set to 2 meaning after 2 occurrences of the rule being hit (in a given session) you'll receive an alert. So if you wanted to alert after only seeing 1 credit card number you would change this count to 1.Unfortunately this is not the case. When it is set to one, a single CC number will not trip the alert, but 2 numbers will. Another issue I have noticed is that since I enabled the SDP, sensitive data alerts do not log the packet to the tcpdump log. Hope this clears things up!On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson () vailsys com> wrote: I have enabled the SDP and have it successfully logging matches forCredit Card numbers and SSNs being sent in the clear through a mail server. However, according to the following README: http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD The preprocessor's alert threshold must be 'higher than the highest individual count in your "sd_pattern" rules'. With sd_pattern allowing a minimum count of 1, this means that the alert_threshold should be set to a minimum of 2. In fact, when I set it to 1, it still didn't log an alert until I put 2 valid credit card numbers into the email. This makes catching emails with single credit card numbers impossible. Is there a reason for this restriction, or a way around it? I apologize if this has been answered before, I searched but was unable to find any explanation.-- Erik Johnson System Administrator Vail Systems e: ejohnson () vailsys com p: 866-254-7699 http://www.vailsys.com
Attachment:
cc-numbers.pcap
Description:
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensitive Data Preprocessor: logging single matches Erik Johnson (Feb 25)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 09)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)