Re: Using snort in an PCI DSS environment

[John Millican <john () millican us>]

Just worked with a QSA on a PCI DSS audit, Although IANAL! YMMV.

We did use snort as part of our IDS/IPS scheme(pfSense install) and we
were told that any time there is a chance that a card number could be
captured it was our responsibility to prevent that.  There are
remediation policies that "might" allow you to get around this but it is
highly doubtful that they would stand up in court if it ever came to that.

The first issue that comes to mind though is that anytime track data is
in transit on a public network it should be encrypted so snort should
never even see that there is a card number (or any other track data) in
the data stream.  On your internal network this requirement is not as
clear, but we kept all data encrypted until it was actually needed to be
used by the application and then re encrypted immediately afterward.

One of the very first things our QSA did was scan every system in scope
for card numbers, and other data, that should not be stored in the clear.

PCI does not "force" you to encrypt the entire HDD, you can encrypt only
the protected data and be in compliance.  It is your choice which method
best suits you environment.

Regards,
JohnM

On 11/20/2013 09:03 AM, elof () sentor se wrote:
> Anyone here using a snort sensor in an PCI environment?
>
> I'm wondering about PCI compliance regarding logging of potential card 
> numbers...
>
>
> Say I have a snort sensor in a PCI environment.
> Nothing in the sensor is configured to detect and log card numbers on 
> purpose. Only normal IDS-rules are enabled.
>
> Do PCI still force me to encrypt the harddrive just because there is a 
> possibility that a card number *could* accidentally be logged?
>
>
> What do your QSA say?
>
> Yes, the sensor's HDD is in scope and must be encrypted.
>
> or
>
> No, a few potential card numbers, logged by accident, does not count. 
> It's like saying you need to encrypt your mailserver's harddrive just 
> because someone can e-mail you card numbers even though you haven't asked 
> for them.
>
> /Elof
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing 
> conversations that shape the rapidly evolving mobile landscape. Sign up now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!