Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 4 Jun 2010 11:32:23 -0400
Ron, Which output plugin are you using? If you are getting some obfuscation, but in the wrong spot, this is also a known bug that will be fixed. -Ryan On Fri, Jun 4, 2010 at 11:22 AM, Ron Jenkins <rjenkins () rmjcs net> wrote:
Good morning; Also the mask out option does not appear to work either. Thx Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA) RMJ Consulting, LLC. "Bringing Companies and Solutions Together" Owner / Senior Architect Physical Address 11715 Bricksome Ave STE B-7 Baton Rouge, LA 70816 Mail Address 7575 Jefferson Hwy #103 Baton Rouge, LA 70806 Office. 225-448-5214 Fax. 225-448-5324 Cell. 225-931-1632 Email. rjenkins () rmjconsulting net Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/> http://www.linkedin.com/in/ronmjenkins -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Friday, June 04, 2010 9:40 AM To: Jason Wallace Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0) Jason, Your concerns are all definitely valid. On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:We have the same issue. I know this preprocessor is new, and while ithas huge potential, there are some challenges with it.1. Long strings of numbers trigger false positives.This was a bug in the Release Candidate. As of Snort 2.8.6 final, both the "us_social" and "us_social_nodashes" patterns require a non-digit on both sides of the number. Have you seen this problem since upgrading to the release version?2. You can only have 1 rule with each default pattern type.I have a bug sitting in my Bugzilla queue right now to go back and fix this. Expect a change in the next major Snort release.3. From the README.sensitive_data.bz2Caveats:sd_pattern is not compatible with other rule options. Trying to useother rule options with sd_pattern will result in an error message.This one is not expected to change in the next release. I'll try to explain briefly. Normally, when a rule is parsed, it gets broken into sections and thrown into a "tree" with the other rules. Then, after all the preprocessors are done running on a packet, Snort goes through this tree and starts matching rules against the packet. When a sensitive data rule gets parsed, it does not go in the tree with the other rules. Instead, the Sensitive Data preprocessor becomes responsible for matching patterns and firing alerts. This gets done before the rest of the rules are even evaluated. I have an idea or two for organizing things differently so that this isn't a problem, but it's not a quick fix, and thus not very high on my list of priorities right now. I will try to get to it as time allows. -Ryan ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)