Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 4 Jun 2010 10:39:55 -0400
Jason, Your concerns are all definitely valid. On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:
We have the same issue. I know this preprocessor is new, and while it has huge potential, there are some challenges with it. 1. Long strings of numbers trigger false positives.
This was a bug in the Release Candidate. As of Snort 2.8.6 final, both the "us_social" and "us_social_nodashes" patterns require a non-digit on both sides of the number. Have you seen this problem since upgrading to the release version?
2. You can only have 1 rule with each default pattern type.
I have a bug sitting in my Bugzilla queue right now to go back and fix this. Expect a change in the next major Snort release.
3. From the README.sensitive_data.bz2 Caveats: sd_pattern is not compatible with other rule options. Trying to use other rule options with sd_pattern will result in an error message.
This one is not expected to change in the next release. I'll try to explain briefly. Normally, when a rule is parsed, it gets broken into sections and thrown into a "tree" with the other rules. Then, after all the preprocessors are done running on a packet, Snort goes through this tree and starts matching rules against the packet. When a sensitive data rule gets parsed, it does not go in the tree with the other rules. Instead, the Sensitive Data preprocessor becomes responsible for matching patterns and firing alerts. This gets done before the rest of the rules are even evaluated. I have an idea or two for organizing things differently so that this isn't a problem, but it's not a quick fix, and thus not very high on my list of priorities right now. I will try to get to it as time allows. -Ryan ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)