IDS mailing list archives
Re: Using Snort to find creditcard data?
From: Siim Põder <siim () p6drad-teel net>
Date: Wed, 17 Oct 2007 15:47:15 +0300
Yo! Craig Chamberlain wrote:
This has been an area of interest for me for some time. It's very true the regexp based detection technologies can produce high rates of false positives and are easily evaded. It's not uncommon for data leaks to take place over vpns; a case study like this was presented at blackhat this year. Even without encryption, the number of possible obfuscation techniques is quite large (and we're assuming the data is ASCII; there are probably enough obscure back end applications with binary protocols to keep a good sized protocol dissector development team frustrated indefinitely).
I think detecting ccn with snort is mostly to spot accidental leaks - database replicas, logging, (unencrypted) backups or so. You have to adjust your signatures to detect the type of encoding your backend uses.
I've seen some good success combining specification based techniques - like these regexps - with behavioral detection - such as using netflow or other flow data, for example, to detect unexpected large or long duration data streams headed for places that don't makes sense (e.g. foreign networks, foreign countries or external networks with which no business relationship exists). It seems to often be the case that systems containing high-value data have a predictable enough network behavioral repertoire that this kind of behavioral detection performs acceptably.
Detecting suspicious flows is a good idea anyway - with or without credit card numbers potentially floating about.
This kind of behavioral detection, optionally corroborated with available specification based detection such as regexp detects, can have acceptably low false positive rates. Another advantage of flow data is that it is hard to evade detection of the fact that you're moving a lot of data; you can obfuscate and encrypt the traffic but you can't conceal the fact that a quantity of traffic (and presumably data, if the payload is not garbage) is being transmitted. Of course, if an obvious attack of some sort precedes all of this - with a resulting detect or detects from an IDS to corroborate - then confidence is again higher.
It is most likely possible to hide the fact that data is being transported as well (im sure you weren't actually trying to imply otherwise, just including it for the sake of completeness). Data could be transported in unused header fields of other data flows or just between other similar legetimate flows. Siim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Using Snort to find creditcard data? Mike Lococo (Oct 01)
- <Possible follow-ups>
- Re: Using Snort to find creditcard data? Stefano Zanero (Oct 01)
- Re: Using Snort to find creditcard data? Martin Roesch (Oct 02)
- Re: Using Snort to find creditcard data? Ron Gula (Oct 01)
- Re: Using Snort to find creditcard data? Jason (Oct 01)
- RE: Using Snort to find creditcard data? Srinivasa Addepalli (Oct 01)
- Re: Using Snort to find creditcard data? Thrynn (Oct 01)
- Re: Using Snort to find creditcard data? Jason Ross (Oct 01)
- RE: Using Snort to find creditcard data? Ofer Shezaf (Oct 02)
- RE: Using Snort to find creditcard data? Craig Chamberlain (Oct 16)
- Re: Using Snort to find creditcard data? Siim Põder (Oct 18)
- Message not available
- Re: Using Snort to find creditcard data? Siim Põder (Oct 19)
- RE: Using Snort to find creditcard data? Craig Chamberlain (Oct 19)
- RE: Using Snort to find creditcard data? Craig Chamberlain (Oct 16)