Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 4 Jun 2010 10:17:19 -0400
If you're getting a lot of false positives, there's a few things you can do. 1) Turn up the threshold on that particular rule. Sensitive Data rule have the "sd_pattern" option in them. It works like this: sd_pattern:<count>,<pattern> The <count> part specifies how many instances of the pattern you need to see before an alert gets generated. This counter is used per TCP stream, not packet. 2) Restrict the ports on which you're running the noisy rule. 3) Disable the rule. "U.S. Social Security Numbers (w/out dashes)" in particular is very prone to false positives. It was provided separately from the other SSN rule so that you could turn it off individually. On Fri, Jun 4, 2010 at 8:39 AM, Joel Esler <jesler () sourcefire com> wrote:
Take a look at the sensitive-data.rules as well as the README for the sensitive data preprocessor to see how you can write your own rules, etc, to detect what you'd like. The rules are great examples, you can build from there. On Jun 3, 2010, at 6:06 PM, Lawrence R. Hughes, Sr. wrote: Hi, When we enable the "preprocessor sensitive_data", we are getting alerts for everyday cookies. Is there a way to tighten this up or disable the cookies from being detected? -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)