Snort mailing list archives
Sensitive Data Preprocessor
From: Joshua Kinard <kumba () gentoo org>
Date: Tue, 21 Feb 2012 20:08:28 -0500
This is a curious little preprocessor, so I decided to play with it a bit, and have a few questions... 1. For the 'mask_output' directive, where does that actually operate? I tested out some sample e-mail traffic I generated with an SSN in it, and in both the console output and the raw packet output, the SSN was clearly visible, so I am dubious if this directive actually works as advertised. Also, it says it will obfuscate the last four digits of credit card numbers. My experience has shown the opposite to be true, that the first 12 digits (for Visa, MasterCard) are typically obfuscated out while leaving the last four visible. Should Snort mirror this? Obfuscate the last 4 for SSN and the first 12 for CC's? Amex and other cards might need minor tweaks, as they have a slightly different number format. 2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the US Social Security Administration switched to a randomized SSN format that deprecates the need for this file. The last file that they issued was on the above date: http://www.socialsecurity.gov/employer/randomization.html http://www.socialsecurity.gov/employer/ssnvhighgroup.htm So is this directive still needed? Or would it make sense to incorporate the final release into Snort and remove this directive? 3. No output from the alerts is logged. I brought this issue up once before when I reported that tcpdump files contain only the 24-byte PCAP header and nothing else. I have since ran into this issue while using file_data, too. So it seems to be something with the way preprocessor alerts are processed that they are not logged to files in some cases. I even tested unified2 output, and all I get is a 0-byte file written to my log directory. If I use -A full, and configure alert_full, then I get the text of the alert and the IP/TCP headers only written out to a file, but no application layer or payload. This partially relates back to item #1, because I can't see what exactly mask_output should be obfuscating. so I am still confused on why Snort is writing empty files out. That still seems like a bug to me. Here's the relevant parts of my config and test rules: output log_tcpdump: log/snort.log output alert_full: alert.full output alert_unified2: filename alert.u2 output log_unified2: filename log.u2 preprocessor sensitive_data: \ mask_output \ ssn_file ssn-grps-20110624-final.csv alert tcp any any -> any 25 (msg:"sd_pattern test smtp"; sd_pattern:1,us_social; sid:42000030; rev:1; gid:138; classtype:policy-violation;) Thanks! -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sensitive Data Preprocessor Joshua Kinard (Feb 21)
- Re: Sensitive Data Preprocessor Bhagya Bantwal (Mar 12)