Snort mailing list archives
Re: Sensitive Data Preprocessor
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Mon, 12 Mar 2012 12:06:55 -0400
Joshua, Thanks for your email. Sorry for the late reply. Comments inline. On Tue, Feb 21, 2012 at 8:08 PM, Joshua Kinard <kumba () gentoo org> wrote:
This is a curious little preprocessor, so I decided to play with it a bit, and have a few questions... 1. For the 'mask_output' directive, where does that actually operate? I tested out some sample e-mail traffic I generated with an SSN in it, and in both the console output and the raw packet output, the SSN was clearly visible, so I am dubious if this directive actually works as advertised. Also, it says it will obfuscate the last four digits of credit card numbers. My experience has shown the opposite to be true, that the first 12 digits (for Visa, MasterCard) are typically obfuscated out while leaving the last four visible. Should Snort mirror this? Obfuscate the last 4 for SSN and the first 12 for CC's? Amex and other cards might need minor tweaks, as they have a slightly different number format.
The README.sensitive_data says mask_output This option replaces all but the last 4 digits of a detected PII with "X"s. This is only done on credit card & Social Security numbers, where an organization's regulations may prevent them from seeing unencrypted numbers. What doc are you referring to?
2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the US Social Security Administration switched to a randomized SSN format that deprecates the need for this file. The last file that they issued was on the above date: http://www.socialsecurity.gov/employer/randomization.html http://www.socialsecurity.gov/employer/ssnvhighgroup.htm So is this directive still needed? Or would it make sense to incorporate the final release into Snort and remove this directive?
We have filed a bug to fix this. Thank you for pointing it out.
3. No output from the alerts is logged. I brought this issue up once before when I reported that tcpdump files contain only the 24-byte PCAP header and nothing else. I have since ran into this issue while using file_data, too. So it seems to be something with the way preprocessor alerts are processed that they are not logged to files in some cases. I even tested unified2 output, and all I get is a 0-byte file written to my log directory. If I use -A full, and configure alert_full, then I get the text of the alert and the IP/TCP headers only written out to a file, but no application layer or payload. This partially relates back to item #1, because I can't see what exactly mask_output should be obfuscating. so I am still confused on why Snort is writing empty files out. That still seems like a bug to me. Here's the relevant parts of my config and test rules: output log_tcpdump: log/snort.log output alert_full: alert.full output alert_unified2: filename alert.u2 output log_unified2: filename log.u2 preprocessor sensitive_data: \ mask_output \ ssn_file ssn-grps-20110624-final.csv alert tcp any any -> any 25 (msg:"sd_pattern test smtp"; sd_pattern:1,us_social; sid:42000030; rev:1; gid:138; classtype:policy-violation;)
A bug has been filed to address this. Can you send me the pcap and conf you used?
Thanks! -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sensitive Data Preprocessor Joshua Kinard (Feb 21)
- Re: Sensitive Data Preprocessor Bhagya Bantwal (Mar 12)