Re: Sensitive Data Preprocessor: logging single matches

[Victor Roemer <vroemer () sourcefire com>]

Hey Erik,


So far I'm not able to reproduce the issues you are seeing,

Here's my rule

alert tcp any any -> any any (msg:"SENSITIVE-DATA Credit Card Numbers";
metadata:service http, service smtp, service imap, service pop3;
sd_pattern:1,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)


Pcap with 1 (albeit fake) CC number in an http get request is attached, when
I run this through snort I generate the following alert

03/01-12:24:46.382944  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} 10.1.2.3:48620 -> 0.0.0.80:8
03/01-12:24:46.382944 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800
len:0x58
10.1.2.3:48620 -> 0.0.0.80:8 TCP TTL:64 TOS:0x0 ID:4 IpLen:20 DgmLen:74
***AP*** Seq: 0x2  Ack: 0x2  Win: 0x100  TcpLen: 20
47 45 54 20 2F 74 65 73 74 2E 70 68 70 3F 73 64  GET /test.php?sd
66 3D 35 31 30 34 36 32 37 35 30 34 39 32 58 58  f=510462750492XX
58 58                                            XX

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Something to keep in mind when running your tests is that the CC numbers are
validated against the luhn algorithm and per the README covers Visa,
Mastercard, Discover, and
American Express.


Also when logging in tcpdump binary ( -b ) I received all the data.

This is all using 2.9.0.4.


Perhaps you could provide more information about your configuration and test
data.


Thanks!

On Tue, Mar 1, 2011 at 11:41 AM, Erik Johnson <ejohnson () vailsys com> wrote:

> On Fri, Feb 25, 2011 at 08:59:54PM -0500, Victor Roemer wrote:
>
> > I think I can clear this up for you.
> >
> > preprocessor sensitive_data: alert_threshold 25
> >
> > This configuration dictates that after 25 occurrences of ANY combination
> > of
> > sdf rules are hit in a given session will cause  SDF_COMBO_ALERT (139:1)
> > to
> > be triggered.
> >
> > Now, regardless of whatever alert_threshold is set to in the preprocessor,
> > your gid:138 rules would still alert based on they're settings.
> Yeah, I set it back to 25 and was able to confirm that I could trip the
> GID 138 rules with less than 25.
>
>
>  Now, for the specific PII rule your interested in (Credit Cards) the
> > default
> > value of count is set to 2 meaning after 2 occurrences of the rule being
> > hit
> > (in a given session) you'll receive an alert.
> >
> > So if you wanted to alert after only seeing 1 credit card number you would
> > change this count to 1.
> Unfortunately this is not the case. When it is set to one, a single CC
> number will not trip the alert, but 2 numbers will.
>
>
> Another issue I have noticed is that since I enabled the SDP, sensitive
> data alerts do not log the packet to the tcpdump log.
>
>
>  Hope this clears things up!
> > On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson () vailsys com>
> > wrote:
> >
> >  I have enabled the SDP and have it successfully logging matches for
> > > Credit Card numbers and SSNs being sent in the clear through a mail
> > > server. However, according to the following README:
> > >
> > >
> > >
> > > http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD
> > >
> > > The preprocessor's alert threshold must be 'higher than the highest
> > > individual count in your "sd_pattern" rules'. With sd_pattern allowing a
> > > minimum count of 1, this means that the alert_threshold should be set to
> > > a minimum of 2. In fact, when I set it to 1, it still didn't log an
> > > alert until I put 2 valid credit card numbers into the email. This makes
> > > catching emails with single credit card numbers impossible. Is there a
> > > reason for this restriction, or a way around it?
> > >
> > > I apologize if this has been answered before, I searched but was unable
> > > to find any explanation.
> --
>
> Erik Johnson
> System Administrator
> Vail Systems
> e: ejohnson () vailsys com
> p: 866-254-7699
>
> http://www.vailsys.com

Attachment: cc-numbers.pcap
Description:

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users