Snort mailing list archives

Re: Using snort in an PCI DSS environment

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 20 Nov 2013 09:51:58 -0700

On 2013-11-20 09:40, elof () sentor se wrote:

Hi James.

As I understand it, the sd_preprocessor only mask packets that are 
matched
with the sd_pattern rule option, i.e. rules to detect and alert on
e.g. card numbers.
That is the opposite of what I wrote.

Even with maskin enabled, all thousands of rules that do not contain 
the
sd_pattern keyword could, in theory, log a packet that accidentally
contain a card number.

/Elof


On Wed, 20 Nov 2013, James Lay wrote:

On 2013-11-20 07:03, elof () sentor se wrote:

Anyone here using a snort sensor in an PCI environment?

I'm wondering about PCI compliance regarding logging of potential
card
numbers...


Say I have a snort sensor in a PCI environment.
Nothing in the sensor is configured to detect and log card numbers 
on
purpose. Only normal IDS-rules are enabled.

Do PCI still force me to encrypt the harddrive just because there 
is
a
possibility that a card number *could* accidentally be logged?


What do your QSA say?

Yes, the sensor's HDD is in scope and must be encrypted.

or

No, a few potential card numbers, logged by accident, does not 
count.
It's like saying you need to encrypt your mailserver's harddrive 
just
because someone can e-mail you card numbers even though you haven't
asked
for them.

/Elof


Elof, are you logging to unified by chance?  Or only syslog/fast file?

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Using snort in an PCI DSS environment elof (Nov 20)
- Re: Using snort in an PCI DSS environment James Lay (Nov 20)
  - Re: Using snort in an PCI DSS environment elof (Nov 20)
    - Re: Using snort in an PCI DSS environment James Lay (Nov 20)
    - Re: Using snort in an PCI DSS environment elof (Nov 21)
    - Re: Using snort in an PCI DSS environment James Lay (Nov 22)
- Re: Using snort in an PCI DSS environment John Millican (Nov 20)
  - Re: Using snort in an PCI DSS environment elof (Nov 20)
    - Re: Using snort in an PCI DSS environment John Millican (Nov 20)