Re: Sensitive Data Preprocessor: logging single matches

[Victor Roemer <vroemer () sourcefire com>]

I think I can clear this up for you.

preprocessor sensitive_data: alert_threshold 25

This configuration dictates that after 25 occurrences of ANY combination of
sdf rules are hit in a given session will cause  SDF_COMBO_ALERT (139:1) to
be triggered.

Now, regardless of whatever alert_threshold is set to in the preprocessor,
your gid:138 rules would still alert based on they're settings.

-- snipped from snort manual --

sd_pattern <count>, <pattern>;


count

This dictates how many times a PII pattern must be matched for an alert to
be generated. The count is
tracked across all packets in a session.

...


-- /snip --

Now, for the specific PII rule your interested in (Credit Cards) the default
value of count is set to 2 meaning after 2 occurrences of the rule being hit
(in a given session) you'll receive an alert.

So if you wanted to alert after only seeing 1 credit card number you would
change this count to 1.

Hope this clears things up!

On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson () vailsys com> wrote:

> I have enabled the SDP and have it successfully logging matches for
> Credit Card numbers and SSNs being sent in the clear through a mail
> server. However, according to the following README:
>
>
> http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD
>
> The preprocessor's alert threshold must be 'higher than the highest
> individual count in your "sd_pattern" rules'. With sd_pattern allowing a
> minimum count of 1, this means that the alert_threshold should be set to
> a minimum of 2. In fact, when I set it to 1, it still didn't log an
> alert until I put 2 valid credit card numbers into the email. This makes
> catching emails with single credit card numbers impossible. Is there a
> reason for this restriction, or a way around it?
>
> I apologize if this has been answered before, I searched but was unable
> to find any explanation.
>
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users