Sensitive Data Preprocessor

[Joshua Kinard <kumba () gentoo org>]

This is a curious little preprocessor, so I decided to play with it a bit,
and have a few questions...

1. For the 'mask_output' directive, where does that actually operate?  I
tested out some sample e-mail traffic I generated with an SSN in it, and in
both the console output and the raw packet output, the SSN was clearly
visible, so I am dubious if this directive actually works as advertised.

Also, it says it will obfuscate the last four digits of credit card numbers.
 My experience has shown the opposite to be true, that the first 12 digits
(for Visa, MasterCard) are typically obfuscated out while leaving the last
four visible.  Should Snort mirror this?  Obfuscate the last 4 for SSN and
the first 12 for CC's?  Amex and other cards might need minor tweaks, as
they have a slightly different number format.



2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the US
Social Security Administration switched to a randomized SSN format that
deprecates the need for this file.  The last file that they issued was on
the above date:

http://www.socialsecurity.gov/employer/randomization.html
http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

So is this directive still needed?  Or would it make sense to incorporate
the final release into Snort and remove this directive?



3. No output from the alerts is logged.  I brought this issue up once before
when I reported that tcpdump files contain only the 24-byte PCAP header and
nothing else.  I have since ran into this issue while using file_data, too.
 So it seems to be something with the way preprocessor alerts are processed
that they are not logged to files in some cases.

I even tested unified2 output, and all I get is a 0-byte file written to my
log directory.  If I use -A full, and configure alert_full, then I get the
text of the alert and the IP/TCP headers only written out to a file, but no
application layer or payload.

This partially relates back to item #1, because I can't see what exactly
mask_output should be obfuscating.  so I am still confused on why Snort is
writing empty files out.  That still seems like a bug to me.


Here's the relevant parts of my config and test rules:

output log_tcpdump: log/snort.log
output alert_full: alert.full
output alert_unified2: filename alert.u2
output log_unified2: filename log.u2

preprocessor sensitive_data:  \
        mask_output  \
        ssn_file ssn-grps-20110624-final.csv

alert tcp any any -> any 25 (msg:"sd_pattern test smtp";
sd_pattern:1,us_social; sid:42000030; rev:1; gid:138;
classtype:policy-violation;)


Thanks!

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!