Re: preprocessor sensitive_data (snort 2.8.6.0)

[Jason Wallace <jason.r.wallace () gmail com>]

We have the same issue. I know this preprocessor is new, and while it
has huge potential, there are some challenges with it.

1. Long strings of numbers trigger false positives.

ex.
I saw this in some web traffic trigger the "SENSITIVE-DATA U.S. Social
Security Numbers w/out dashes" rule...

--10  05/25/2010  STBT    93       93      1      0       3780089812
3780089905
[2 non-ASCII characters]
----  05/25/2010  RTL     68       0       1      0       3780089812
3780089905
[2 non-ASCII characters]
--11  05/24/2010  STBT    122      122     73     0       3780089689
3780089811
[2 non-ASCII characters]
----  05/24/2010  RTL     81       81      73     0       3780089689
3780089811
[2 non-ASCII characters]
--13  05/22/2010  STBT    123      123     92     1       3780089566
3780089688

In those strings there might be consecutive 9 digits that could be a
SSN but the strings them selves are too long making it unlikely they
are actually SSNs. An option to say it has to be exactly 9 digits to
be considered a SSN would help with this.

2. You can only have 1 rule with each default pattern type.

ex.
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA U.S. Social Security Numbers with dashes";
metadata:service http, service smtp, service ftp-data, service imap,
service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138;
rev:1;)

You can NOT split that like so...

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"SENSITIVE-DATA
U.S. Social Security Numbers with dashes HTTP"; metadata:service http;
sd_pattern:2,us_social; classtype:sdf; sid:10; gid:138; rev:1;)

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"SENSITIVE-DATA
U.S. Social Security Numbers with dashes SMTP"; metadata:service smtp;
sd_pattern:2,us_social; classtype:sdf; sid:11; gid:138; rev:1;)

If you try you get this error...

ERROR: Sensitive Data rule 138:11 uses a pattern that duplicates rule 138:10.
Fatal Error, Quitting..

Being able to split them would provide more targeted detection.

3. From the README.sensitive_data.bz2

Caveats:
    sd_pattern is not compatible with other rule options. Trying to use
    other rule options with sd_pattern will result in an error message.

This makes it difficult to write rules that will not pick up on things
like cookie strings.


Wally

On Fri, Jun 4, 2010 at 8:39 AM, Joel Esler <jesler () sourcefire com> wrote:
> Take a look at the sensitive-data.rules as well as the README for the
> sensitive data preprocessor to see how you can write your own rules, etc, to
> detect what you'd like.
> The rules are great examples, you can build from there.
>
> On Jun 3, 2010, at 6:06 PM, Lawrence R. Hughes, Sr. wrote:
>
> Hi,
>
> When we enable the "preprocessor sensitive_data", we are getting alerts for
> everyday cookies.
> Is there a way to tighten this up or disable the cookies from being
> detected?
>
> --
> Joel Esler
> 302-223-5974
> Jabber: jesler () sourcefire com
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users