Snort mailing list archives
Re: Possible new idea for PII/Sensitive Data in Snort
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Wed, 25 Jun 2014 16:10:39 -0300
Hi Bill, I think it could be an interesting stuff to do. If you need a practical solution, you may generate a rules file definition with a little help of a Python code, like this: def genrules(base, min, max): setRules = '' for code in range(min, max+1): setRules += 'alert tcp any any -> any any (content:' + base + str(code) +'; nocase; msg:"HIPPA Alert. Packet with ' + str(code) + 'detected.";)\n' return setRules If you call this function with some of your example lines, let's take this one: print genrules('90598-90800Z', 37, 49) It will return: alert tcp any any -> any any (content:90598-90800Z37; nocase; msg:"HIPPA Alert. Packet with 37 detected.";) alert tcp any any -> any any (content:90598-90800Z38; nocase; msg:"HIPPA Alert. Packet with 38 detected.";) alert tcp any any -> any any (content:90598-90800Z39; nocase; msg:"HIPPA Alert. Packet with 39 detected.";) alert tcp any any -> any any (content:90598-90800Z40; nocase; msg:"HIPPA Alert. Packet with 40 detected.";) alert tcp any any -> any any (content:90598-90800Z41; nocase; msg:"HIPPA Alert. Packet with 41 detected.";) alert tcp any any -> any any (content:90598-90800Z42; nocase; msg:"HIPPA Alert. Packet with 42 detected.";) alert tcp any any -> any any (content:90598-90800Z43; nocase; msg:"HIPPA Alert. Packet with 43 detected.";) alert tcp any any -> any any (content:90598-90800Z44; nocase; msg:"HIPPA Alert. Packet with 44 detected.";) alert tcp any any -> any any (content:90598-90800Z45; nocase; msg:"HIPPA Alert. Packet with 45 detected.";) alert tcp any any -> any any (content:90598-90800Z46; nocase; msg:"HIPPA Alert. Packet with 46 detected.";) alert tcp any any -> any any (content:90598-90800Z47; nocase; msg:"HIPPA Alert. Packet with 47 detected.";) alert tcp any any -> any any (content:90598-90800Z48; nocase; msg:"HIPPA Alert. Packet with 48 detected.";) alert tcp any any -> any any (content:90598-90800Z49; nocase; msg:"HIPPA Alert. Packet with 49 detected.";) You may then call this function for each of your lines and append all of them into a file called hippa.rules. (Or you can even generate a .py calling all of them and use an output to a file from within the same python code). When you have your rules definition file ready, you can import it in your snort.conf file. Hope it helps! Emiliano 2014-06-25 14:59 GMT-03:00 Bill Parker <wp02855 () gmail com>:
Hi All, The information below is what I broke down to see if it would be useful to add new rules to snort to detect medical diagnosis codes (ICD-10 format) since this being transmitted in cleartext could be a PII/sensitive data or potential HIPPA violate (data leakage). I would appreciate some suggestions on implementing this (either with PCRE in snort rules) or would making a new preprocessor or modifying an existing one be more in-line? FY 2015 ICD-10 Codes PCRE/Pattern Match Values This indicates POTENTIAL ICD-10 codes transmitted in cleartext (think possible HIPPA violation, PII/Sensitive Data) note: yyyy values can be alpha-numeric (and optional) 00001-00688 Annyyyy (where nn is 00 to 99) 00689-01292 Bnnyyyy (where nn is 00 to 99) 01293-02038 Cnnyyyy (where nn is 00 to 75) 02039-02076 C7xyyyy (where x is 'A' or 'B') - non case sensitive 02077-02717 Cnnyyyy (where nn is 76 to 96) 02718-03615 Dnnyyyy (where nn is 00 to 89) 03616-04494 Ennyyyy (where nn is 00 to 89) 04495-05421 Fnnyyyy (where nn is 01 to 99) 05422-06213 Gnnyyyy (where nn is 00 to 99) 06214-06867 Hnnyyyy (where nn is 00 to 05) 06868-07811 Hnnyyyy (where nn is 10 to 11) 07812-07522 Hnnyyyy (where nn is 15 to 18) 07523-07698 Hnnyyyy (where nn is 20 to 21) 07699 H22 (specific code) 07700-07854 Hnnyyyy (where nn is 25 to 27) 07855 H28 (specific code) 07856-08007 Hnnyyyy (where nn to 30 to 31) 08008 H32 (specific code) 08009-08312 Hnnyyyy (where nn is 33 to 35) 08313 H36 (specific code) 08314-08608 Hnnyyyy (where nn is 40) 08609 H42 (specific code) 08610-08829 Hnnyyyy (where nn is 43 to 44) 08830-08951 Hnnyyyy (where nn is 46 to 47) 08952-08989 Hnnyyyy (where nn is 49) 08990-09260 Hnnyyyy (where nn is 50 to 55) 09261-09280 Hnnyyyy (where nn is 57) 09281-09539 Hnnyyyy (where nn is 59 to 62) 09540-09919 Hnnyyyy (where nn is 65 to 75) 09920-10027 Hnnyyyy (where nn is 80 to 83) 10028-10203 Hnnyyyy (where nn is 90 to 95) 10204-10213 Innyyyy (where nn is 00 to 02) 10214-10259 Innyyyy (where nn is 05 to 13) 10260-10265 Innyyyy (where nn is 15) 10266-10388 Innyyyy (where nn is 20 to 28) 10389-10538 Innyyyy (wnere nn is 30 to 52) 10539-10679 Innyyyy (where nn is 60 to 63) 10680-11648 Innyyyy (where nn is 65 to 83) 11649-11729 Innyyyy (where nn is 85 to 89) 11730-11790 Innyyyy (where nn is 95 to 99) 11791-11844 Jnnyyyy (where nn is 00 to 06) 11845-11910 Jnnyyyy (where nn is 09 to 18) 11911-11926 Jnnyyyy (where nn is 20 to 21) 11927 J22 specific code) 11928-12037 Jnnyyyy (where nn is 30 to 45) 12038-12041 J47yyyy 12042-12093 Jnnyyyy (where nn is 60 to 70) 12094-12098 Jnnyyyy (where nn is 80 to 82) 12099-12185 Jnnyyyy (where nn is 84 to 86) 12186-12211 Jnnyyyy (where nn is 90 to 96) 12212-12226 Jnnyyyy (where nn is 98 to 99) 12227-12303 Knnyyyy (where nn is 00 to 06) 12304-12394 Knnyyyy (where nn is 08 to 09) 12395-12445 Knnyyyy (where nn is 11 to 14) 12446-12471 Knnyyyy (where nn is 20 to 23) 12472-12558 Knnyyyy (where nn is 25 to 31) 12559-12564 K35yyyy 12565 K36 12566 K37 12567-12573 K38yyyy 12574-12637 Knnyyyy (where nn is 40 to 46) 12638-12747 Knnyyyy (where nn is 50 to 52) 12748-12883 Knnyyyy (where nn is 55 to 68) 12884-12960 Knnyyyy (where nn is 70 to 76) 12961 K77 12962-13033 Knnyyyy (where nn is 80 to 83) 13034-13047 Knnyyyy (where nn is 85 to 86) 13048 K87 13049-13090 Knnyyyy (where nn is 90 to 92) 13091-13122 Knnyyyy (where nn is 94 to 95) 13123-13319 Lnnyyyy (where nn is 00 to 05) 13320-13327 L08yyyy 13328-13358 Lnnyyyy (where nn is 10 to 13) 13359 L14 13360-13436 Lnnyyyy (where nn is 20 to 30) 13437-13475 Lnnyyyy (where nn is 40 to 44) 13476 L45 13477-13553 Lnnyyyy (where nn is 49 to 60) 13554 L62 13555-13590 Lnnyyyy (where nn is 63 to 68) 13591-13654 Lnnyyyy (where nn is 70 to 76) 13655-13909 Lnnyyyy (where nn is 80 to 95) 13910-14702 Lnnyyyy (where nn is 97 to 99) 14703-14397 Mnnyyyy (where nn is 00 to 02) 14398-15005 Mnnyyyy (where nn is 05 to 08) 15006-15406 M1A0yyyy to M1A4yyyy 15407-15409 M1A9yyyy 15410-17213 Mnnyyyy (where nn is 10 to 27) 17214-17299 Mnnyyyy (where nn is 30 to 36) 17300-17486 Mnnyyyy (where nn is 40 to 43) 17487-17848 Mnnyyyy (where nn is 45 to 51) 17849-17911 Mnnyyyy (where nn is 53 to 54) 17912-18460 Mnnyyyy (where nn is 60 to 63) 18461-18926 Mnnyyyy (where nn is 65 to 67) 18927-19221 Mnnyyyy (where nn is 70 to 72) 19222-19337 Mnnyyyy (where nn is 75 to 77) 19338-19742 Mnnyyyy (where nn is 79 to 81) 19743-22232 Mnnyyyy (where nn is 83 to 96) 22233-22333 Mnnyyyy (where nn is 99 22334-22421 Nnnyyyy (where nn is 00 to 07) 22422 N08yyyy 22423 N10yyyy 22424-22488 Nnnyyyy (where nn is 11 to 21) 22489 N22 22490 N23 22491-22594 Nnnyyyy (where nn is 25 to 36) 22595 N37 22596-22747 Nnnyyyy (where nn is 39 to 53) 22748-22776 N60yyyy 22777 N61 22778 N62 22779 N63 22780-22798 Nnnyyyy (where nn is 64 to 65) 22799-22815 Nnnyyyy (where nn is 70 to 71) 22816 N72 22817-22826 N73yyyy 22827 N74 22828-22846 Nnnyyyy (where nn is 75 to 77) 22847-22923 Nnnyyyy (where nn is 80 to 85) 22924 N86 22925-23003 Nnnyyyy (where nn is 87 to 95) 23004 N96 23005-23059 Nnnyyyy (where nn is 97 to 99) 23060-23122 Onnyyyy (where nn is 00 to 04) 23123-23338 Onnyyyy (where nn is 07 to 16) 23339-23587 Onnyyyy (where nn is 20 to 26) 23588-24632 Onnyyyy (where nn is 28 to 36) 24633-25043 Onnyyyy (where nn is 40 to 48) 25044-25214 Onnyyyy (where nn is 60 to 67) 25215 N68 25216-25352 Onnyyyy (where nn is 69 to 75) 25353 N76 25354-25358 O77yyyy 25359 N80 25360 N82 25361 N85 25362-25502 Onnyyyy (where nn is 86 to 92) 25503 N94 25504-25705 Onnyyyy (where nn is 98 to 99) 25706-25746 O9Ayyyy 25747-25836 Pnnyyyy (where nn is 00 to 05) 25837-25874 Pnnyyyy (where nn is 07 to 08) 25875 P09 25876-25926 Pnnyyyy (where nn is 10 to 15) 25927-25931 Pnnyyyy (where nn is 19) 25932-26005 Pnnyyyy (where nn is 22 to 29) 26006-26045 Pnnyyyy (where nn is 35 to 39) 26046-26070 Pnnyyyy (where nn is 50 to 52) 26071 P53 26072-26115 Pnnyyyy (where nn is 54 to 59) 26116 P60 26117-26126 Pnnyyyy (where nn is 61) 26127-26148 Pnnyyyy (where nn is 70 to 72) 26149-26158 Pnnyyyy (where nn is 74) 26159-26179 Pnnyyyy (where nn is 76 to 78) 26180-26188 Pnnyyyy (where nn is 80 to 81) 26189-26200 P83yyyy 26201 P84 26202 P90 26203-26250 Pnnyyyy (where nn is 91 to 96) 26251-26303 Qnnyyyy (where nn is 00 to 07) 26304-26375 Qnnyyyy (where nn is 10 to 18) 26376-26466 Qnnyyyy (where nn is 20 to 28) 26467-26588 Qnnyyyy (where nn is 30 to 45) 26589-26688 Qnnyyyy (where nn is 50 to 56) 26689-27106 Qnnyyyy (where nn is 60 to 87) 27107-27155 Qnnyyyy (where nn is 89 to 93) 27156-27194 Qnnyyyy (where nn is 95 to 99) 27195-27204 Rnnyyyy (where nn is 00 to 01) 27205-27215 Rnnyyyy (where nn is 03 to 04) 27216 R05 27217-27244 Rnnyyyy (where nn is 06 to 07) 27245-27299 Rnnyyyy (where nn is 09 to 11) 27300 R12 27301-27323 Rnnyyyy (where nn is 13 to 16) 27324 R17 27325-27364 Rnnyyyy (where nn is 18 to 20) 27365 R21 27366-27388 Rnnyyyy (where nn is 22 to 23) 27389-27407 Rnnyyyy (where nn is 25 to 27) 27408-27435 Rnnyyyy (where nn is 29 to 31) 27436 R32 27437-27441 Rnnyyyy (where nn is 33) 27442 R34 27443-27449 Rnnyyyy (where nn is 35 to 36) 27450 R37 27451-27588 Rnnyyyy (where nn is 39 to 41) 27589 R42 27590-27667 Rnnyyyy (where nn is 43 to 50) 27668 R51 27669 R52 27670-27677 R53yyyy 27678 R54 27679 R55 27680-27690 Rnnyyyy (where nn is 56 to 57) 27671 R58 27672-27699 Rnnyyyy (where nn is 59 to 60) 27700 R61 27701-27717 Rnnyyyy (where nn is 62 to 63) 27718 R64 27719-27725 R65yyyy 27726-27740 R68yyyy 27741 R69 27742-27747 Rnnyyyy (where nn is 70 to 71) 27748-27757 Rnnyyyy (where nn is 73 to 74) 27758 R75 27759-27801 Rnnyyyy (where nn is 76 to 80) 27802 R81 27803-27980 Rnnyyyy (where nn is 82 to 94) 27981-27985 R97yyyy 27986 R99 27987-31729 Snnyyyy (where nn is 00 to 17) 31730-66650 Snnyyyy (where nn is 19 to 99) 66651 T07 66652-70623 Tnnyyyy (where nn is 14 to 28) 70624-71082 Tnnyyyy (where nn is 30 to 34) 71083-78125 Tnnyyyy (where nn is 36 to 71) 78126-78306 Tnnyyyy (where nn is 73 to 76) 78307-80560 Tnnyyyy (where nn is 78 to 88) 80561-81098 Vnnyyyy (where nn is 00 to 06) 81099-85747 Vnnyyyy (where nn is 09 to 99) 85748-85800 Wnnyyyy (where nn is 00 to 01) 85801-86713 Wnnyyyy (where nn is 03 to 40) 86714-86722 W42yyyy 86723-86748 Wnnyyyy (where nn is 45 to 46) 86749-87259 Wnnyyyy (where nn is 49 to 62) 87260-87267 Wnnyyyy (where nn is 64 to 65) 87268-87271 W67yyyy 87272-87275 W69yyyy 87276-87283 Wnnyyyy (where nn is 73 to 74) 87284-87300 Wnnyyyy (where nn is 85 to 86) 87301-87347 Wnnyyyy (where nn is 88 to 90) 87348-87422 Wnnyyyy (where nn is 92 to 94) 87423-87426 W99yyyy 87427-87551 Xnnyyyy (where nn is 00 to 06) 87552-87595 X08yyyy 87596-87680 Xnnyyyy (where nn is 10 to 19) 87681-87692 Xnnyyyy (where nn is 30 to 32) 87693-87765 Xnnyyyy (where nn is 34 to 39) 87766-87769 X52yyyy 87770-87773 X58yyyy 87774-87954 Xnnyyyy (where nn is 71 to 83) 87959-88105 Xnnyyyy (where nn is 92 to 99) 88106-88152 Ynnyyyy (where nn is 00 to 04) 88153-88219 Ynnyyyy (where nn is 07 to 08) 88220 Y09 88221-88365 Ynnyyyy (where nn is 21 to 33) 88366-89663 Ynnyyyy (where nn is 35 to 38) 89664-89699 Ynnyyyy (where nn is 62 to 65) 89700 Y66 89701 Y69 89702-89797 Ynnyyyy (where nn is 70 to 84) 89798-89808 Y90yyyy 89809-90182 Ynnyyyy (where nn is 92 to 93) 90183 Y95 90184-90189 Y99yyyy 90190-90283 Znnyyyy (where nn is 00 to 04) 90284 Z08 90285 Z09 90286-90414 Znnyyyy (where nn is 10 to 18) 90415-90435 Z20yyyy 90436 Z21 90437-90458 Z22yyyy 90459 Z23 90460-90477 Z28yyyy 90478-90552 Znnyyyy (where nn is 30 to 34) 90553 Z36 90554-90597 Z3Ayyyy 90598-90800 Znnyyyy (where nn is 37 to 49) 90801-90855 Znnyyyy (where nn is 51 to 53) 90856-90889 Znnyyyy (where nn is 55 to 57) 90890-90908 Znnyyyy (where nn is 59 to 60) 90909-90960 Znnyyyy (where nn is 62 to 65) 90961 Z66 90962-91737 Znnyyyy (where nn is 67 to 99) Bill Parker (wp02855 () gmail com) ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible new idea for PII/Sensitive Data in Snort Bill Parker (Jun 25)
- Re: Possible new idea for PII/Sensitive Data in Snort Emiliano Fausto (Jun 25)