Snort mailing list archives

Re: Sensitive Data Preprocessor

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Mon, 12 Mar 2012 12:06:55 -0400

Joshua,

Thanks for your email.

Sorry for the late reply. Comments inline.


On Tue, Feb 21, 2012 at 8:08 PM, Joshua Kinard <kumba () gentoo org> wrote:


This is a curious little preprocessor, so I decided to play with it a bit,
and have a few questions...

1. For the 'mask_output' directive, where does that actually operate?  I
tested out some sample e-mail traffic I generated with an SSN in it, and in
both the console output and the raw packet output, the SSN was clearly
visible, so I am dubious if this directive actually works as advertised.

Also, it says it will obfuscate the last four digits of credit card
numbers.
 My experience has shown the opposite to be true, that the first 12 digits
(for Visa, MasterCard) are typically obfuscated out while leaving the last
four visible.  Should Snort mirror this?  Obfuscate the last 4 for SSN and
the first 12 for CC's?  Amex and other cards might need minor tweaks, as
they have a slightly different number format.


The README.sensitive_data says

   mask_output
        This option replaces all but the last 4 digits of a detected PII
with
        "X"s. This is only done on credit card & Social Security numbers,
where
        an organization's regulations may prevent them from seeing
unencrypted
        numbers.

What doc are you referring to?




2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the
US
Social Security Administration switched to a randomized SSN format that
deprecates the need for this file.  The last file that they issued was on
the above date:

http://www.socialsecurity.gov/employer/randomization.html
http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

So is this directive still needed?  Or would it make sense to incorporate
the final release into Snort and remove this directive?

We have filed a bug to fix this. Thank you for pointing it out.


3. No output from the alerts is logged.  I brought this issue up once
before
when I reported that tcpdump files contain only the 24-byte PCAP header and
nothing else.  I have since ran into this issue while using file_data, too.
 So it seems to be something with the way preprocessor alerts are processed
that they are not logged to files in some cases.

I even tested unified2 output, and all I get is a 0-byte file written to my
log directory.  If I use -A full, and configure alert_full, then I get the
text of the alert and the IP/TCP headers only written out to a file, but no
application layer or payload.

This partially relates back to item #1, because I can't see what exactly
mask_output should be obfuscating.  so I am still confused on why Snort is
writing empty files out.  That still seems like a bug to me.


Here's the relevant parts of my config and test rules:

output log_tcpdump: log/snort.log
output alert_full: alert.full
output alert_unified2: filename alert.u2
output log_unified2: filename log.u2

preprocessor sensitive_data:  \
       mask_output  \
       ssn_file ssn-grps-20110624-final.csv

alert tcp any any -> any 25 (msg:"sd_pattern test smtp";
sd_pattern:1,us_social; sid:42000030; rev:1; gid:138;
classtype:policy-violation;)

A bug has been filed to address this. Can you send me the pcap and conf you
used?

Thanks!

--
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible
in-between."

--Emperor Turhan, Centauri Republic



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Sensitive Data Preprocessor Joshua Kinard (Feb 21)
- Re: Sensitive Data Preprocessor Bhagya Bantwal (Mar 12)