IDS mailing list archives

RE: Using Snort to find creditcard data?

From: "Ofer Shezaf" <OferS () Breach com>
Date: Tue, 2 Oct 2007 07:24:58 -0400


All the answers where good but also partial as the subject is far from
trivial.

There are few aspects to detecting credit card numbers on the network,
and I will try to address them:

1. Matching credit card numbers
2. Handling false positives
3. Evasion
4. Logging

Matching Credit Card Numbers
============================
Valid card numbers:

1. Are 13-16 digits long. This is easy to detect using regular
expressions but may result in a lot of false positives. A lot of IDs are
in this range.

2. Conform to the LUAN checksum function. Being a checksum function it
matches 1 out of 10 numbers in the range. Since many times applications
that use numbers of this length use an entire range, there will still be
false positives. LUAN cannot be verified using regular expressions and
would require code.

3. Have certain prefixes which were assigned to issuers. A pretty good
table of assigned prefixes can be found in Wikipedia, but I'm not sure
it is comprehensive (http://en.wikipedia.org/wiki/Credit_card_number).
Prefixes further reduce false positives and can be implemented using a
(complex) regular expression. Using prefixes introduce a risk of false
negatives due to omission of less common prefixes. For example we have
not been aware until recently of Bankcard from Austria. This is
especially a problem internationally.

False positives
===============

The problem is that the above rules generate a lot of false positives.
Most false positives are related to normal application traffic using
long ASCII numbers. Such an application would usually use a range and
therefore hit some valid numbers. 

Since the PCI requirement is for "Encrypt transmission of cardholder
data (only) across open, public networks", another source of false
positives are applications that transmit credit card numbers
intentionally and legally.

The solution for such false positives would be exceptions, which I'm not
sure Snort is the best solution for and would require an application
layer IDS. A network layer exception would be limited to addresses and
ports while a good exception would be by a specific property of the
transaction such as URL and parameter (for HTTP traffic). For web
traffic I would use for example something like ModSecurity. But I'm
biased.

Evasion
=======
It is important to note that any such mechanism will detect only
erroneous use of credit card numbers. Even the simplest transformation
function on the numbers will enable them to bypass detection, so most
malicious usage would not be detected.

There is also an issue with leakage through encrypted channels, since
PCI requires encryption, leakage would many times be encrypted. IDS
limitations regarding encrypted traffic have been discussed extensively
here (http://archives.neohapsis.com/archives/sf/ids/2007-q3/0084.html)
and elsewhere.

Logging:
========
Assuming that we did everything right and built a system for detecting
credit card numbers on the network, we cannot keep the number as we
would violate PCI in the detection system. Solutions are:

(a) Encrypt all collected information

(b) Mask the credit card number


~ Ofer Shezaf


Ofer Shezaf
ofers () breach com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security, www.breach.com
Chair, OWASP Israel, www.owasp.org/index.php/israel
Officer, Web Applicaiton Security Consortium, www.webappsec.org
Leader, ModSecurity Core Rule Set Project,
www.modsecurity.org/projects/rules/
Maintainer, Web Hacking Incidents Database,
www.webappsec.org/projects/whid

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of jerikl75 () gmail com
Sent: Wednesday, September 26, 2007 9:36 PM
To: focus-ids () securityfocus com
Subject: Using Snort to find creditcard data?

Would it be possible to write a Snort rule that triggers on possible
creditcard numbers and how would it look like?

PCI standars says that all creditcard data should be encrypted, It
woild be nice to verify that no card data shows up where it
shouldn't...

-----------------------------------------------------------------------

-
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campai

gn=intro_sfw
to learn more.

-----------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Using Snort to find creditcard data? Mike Lococo (Oct 01)
- <Possible follow-ups>
- Re: Using Snort to find creditcard data? Stefano Zanero (Oct 01)
  - Re: Using Snort to find creditcard data? Martin Roesch (Oct 02)
- Re: Using Snort to find creditcard data? Ron Gula (Oct 01)
- Re: Using Snort to find creditcard data? Jason (Oct 01)
- RE: Using Snort to find creditcard data? Srinivasa Addepalli (Oct 01)
- Re: Using Snort to find creditcard data? Thrynn (Oct 01)
- Re: Using Snort to find creditcard data? Jason Ross (Oct 01)
- RE: Using Snort to find creditcard data? Ofer Shezaf (Oct 02)
  - RE: Using Snort to find creditcard data? Craig Chamberlain (Oct 16)
    - Re: Using Snort to find creditcard data? Siim Põder (Oct 18)
    - Message not available
    - Re: Using Snort to find creditcard data? Siim Põder (Oct 19)
    - RE: Using Snort to find creditcard data? Craig Chamberlain (Oct 19)
- Re: Using Snort to find creditcard data? Siim Põder (Oct 10)