Snort mailing list archives
Re: Sensitive Data Preprocessor: logging single matches
From: Erik Johnson <ejohnson () vailsys com>
Date: Tue, 1 Mar 2011 10:41:54 -0600
On Fri, Feb 25, 2011 at 08:59:54PM -0500, Victor Roemer wrote:
I think I can clear this up for you. preprocessor sensitive_data: alert_threshold 25 This configuration dictates that after 25 occurrences of ANY combination of sdf rules are hit in a given session will cause SDF_COMBO_ALERT (139:1) to be triggered. Now, regardless of whatever alert_threshold is set to in the preprocessor, your gid:138 rules would still alert based on they're settings.
Yeah, I set it back to 25 and was able to confirm that I could trip the GID 138 rules with less than 25.
Now, for the specific PII rule your interested in (Credit Cards) the default value of count is set to 2 meaning after 2 occurrences of the rule being hit (in a given session) you'll receive an alert. So if you wanted to alert after only seeing 1 credit card number you would change this count to 1.
Unfortunately this is not the case. When it is set to one, a single CC number will not trip the alert, but 2 numbers will. Another issue I have noticed is that since I enabled the SDP, sensitive data alerts do not log the packet to the tcpdump log.
Hope this clears things up! On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson () vailsys com> wrote:I have enabled the SDP and have it successfully logging matches for Credit Card numbers and SSNs being sent in the clear through a mail server. However, according to the following README: http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD The preprocessor's alert threshold must be 'higher than the highest individual count in your "sd_pattern" rules'. With sd_pattern allowing a minimum count of 1, this means that the alert_threshold should be set to a minimum of 2. In fact, when I set it to 1, it still didn't log an alert until I put 2 valid credit card numbers into the email. This makes catching emails with single credit card numbers impossible. Is there a reason for this restriction, or a way around it? I apologize if this has been answered before, I searched but was unable to find any explanation.
-- Erik Johnson System Administrator Vail Systems e: ejohnson () vailsys com p: 866-254-7699 http://www.vailsys.com
Attachment:
_bin
Description:
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensitive Data Preprocessor: logging single matches Erik Johnson (Feb 25)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 09)
- Re: Sensitive Data Preprocessor: logging single matches Erik Johnson (Mar 01)
- Re: Sensitive Data Preprocessor: logging single matches Victor Roemer (Mar 02)