Snort mailing list archives
Re: preprocessor sensitive_data (snort 2.8.6.0)
From: "Safwat Fahmy" <safwat.fahmy () safemedia com>
Date: Fri, 4 Jun 2010 16:18:07 -0400
Ryan: Thanks for the explanation I would like to ask why not use hash table without collusions in SSN numbers?? Safwat -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Friday, June 04, 2010 10:54 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0) While I'm at it, here's a little insight as to why the SSN rules are so noisy. SSNs are broken up into three sections: AAA-GG-SSSS, where AAA is the three-digit Area Number GG is the two-digit Group Number SSSS is the four-digit Serial Number Now, there is a list of all valid three-digit Areas, and the highest Group assigned to them. You can see such lists here: http://www.socialsecurity.gov/employer/ssnvhighgroup.htm Here's the problem: - Most 3-digit Area numbers are valid. They go 001 through 772. (The area 666 is invalid, since it's the Number of the Beast.) - For a good portion of these Areas, most (or all) of the Groups are valid. - All 4-digit Serial numbers are valid, except for 0000. - There are no check digits So, we do take advantage of the "high group" list to throw out invalid numbers. However, the nature of the problem is that you can generate a random 9-digit number, and it has a *really good* chance at being a valid SSN. Thus, the rule for SSNs without Dashes is really noisy. I hope this has been helpful for some people. Now, back to your regularly-scheduled questions about the database output plugin. -Ryan ---------------------------------------------------------------------------- -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor sensitive_data (snort 2.8.6.0) Lawrence R. Hughes, Sr. (Jun 03)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Safwat Fahmy (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Message not available
- Re: preprocessor sensitive_data (snort 2.8.6.0) Ryan Jordan (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Jason Wallace (Jun 04)
- Re: preprocessor sensitive_data (snort 2.8.6.0) Joel Esler (Jun 04)