Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible new idea for PII/Sensitive Data in Snort

From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Wed, 25 Jun 2014 16:10:39 -0300
Hi Bill,

I think it could be an interesting stuff to do. If you need a practical
solution, you may generate a rules file definition with a little help of a
Python code, like this:

def genrules(base, min, max):
  setRules = ''
  for code in range(min, max+1):
    setRules += 'alert tcp any any -> any any (content:' + base + str(code)
+'; nocase; msg:"HIPPA Alert. Packet with ' + str(code) + 'detected.";)\n'
  return setRules

If you call this function with some of your example lines, let's take this
one:

print genrules('90598-90800Z', 37, 49)

It will return:

alert tcp any any -> any any (content:90598-90800Z37; nocase; msg:"HIPPA
Alert. Packet with 37 detected.";)
alert tcp any any -> any any (content:90598-90800Z38; nocase; msg:"HIPPA
Alert. Packet with 38 detected.";)
alert tcp any any -> any any (content:90598-90800Z39; nocase; msg:"HIPPA
Alert. Packet with 39 detected.";)
alert tcp any any -> any any (content:90598-90800Z40; nocase; msg:"HIPPA
Alert. Packet with 40 detected.";)
alert tcp any any -> any any (content:90598-90800Z41; nocase; msg:"HIPPA
Alert. Packet with 41 detected.";)
alert tcp any any -> any any (content:90598-90800Z42; nocase; msg:"HIPPA
Alert. Packet with 42 detected.";)
alert tcp any any -> any any (content:90598-90800Z43; nocase; msg:"HIPPA
Alert. Packet with 43 detected.";)
alert tcp any any -> any any (content:90598-90800Z44; nocase; msg:"HIPPA
Alert. Packet with 44 detected.";)
alert tcp any any -> any any (content:90598-90800Z45; nocase; msg:"HIPPA
Alert. Packet with 45 detected.";)
alert tcp any any -> any any (content:90598-90800Z46; nocase; msg:"HIPPA
Alert. Packet with 46 detected.";)
alert tcp any any -> any any (content:90598-90800Z47; nocase; msg:"HIPPA
Alert. Packet with 47 detected.";)
alert tcp any any -> any any (content:90598-90800Z48; nocase; msg:"HIPPA
Alert. Packet with 48 detected.";)
alert tcp any any -> any any (content:90598-90800Z49; nocase; msg:"HIPPA
Alert. Packet with 49 detected.";)


You may then call this function for each of your lines and append all of
them into a file called hippa.rules. (Or you can even generate a .py
calling all of them and use an output to a file from within the same python
code).

When you have your rules definition file ready, you can import it in your
snort.conf file.

Hope it helps!
Emiliano



2014-06-25 14:59 GMT-03:00 Bill Parker <wp02855 () gmail com>:


Hi All,

    The information below is what I broke down to see if it would be useful
to add new rules to snort to detect medical diagnosis codes (ICD-10 format)
since this being transmitted in cleartext could be a PII/sensitive data or
potential HIPPA violate (data leakage).

I would appreciate some suggestions on implementing this (either with PCRE
in snort rules) or would making a new preprocessor or modifying an existing
one be more in-line?

FY 2015 ICD-10 Codes PCRE/Pattern Match Values

This indicates POTENTIAL ICD-10 codes transmitted in cleartext
(think possible HIPPA violation, PII/Sensitive Data)

note: yyyy values can be alpha-numeric (and optional)

00001-00688 Annyyyy (where nn is 00 to 99)

00689-01292 Bnnyyyy (where nn is 00 to 99)

01293-02038 Cnnyyyy (where nn is 00 to 75)
02039-02076 C7xyyyy (where x is 'A' or 'B') - non case sensitive
02077-02717 Cnnyyyy (where nn is 76 to 96)

02718-03615 Dnnyyyy (where nn is 00 to 89)

03616-04494 Ennyyyy (where nn is 00 to 89)

04495-05421 Fnnyyyy (where nn is 01 to 99)

05422-06213 Gnnyyyy (where nn is 00 to 99)

06214-06867 Hnnyyyy (where nn is 00 to 05)
06868-07811 Hnnyyyy (where nn is 10 to 11)
07812-07522 Hnnyyyy (where nn is 15 to 18)
07523-07698 Hnnyyyy (where nn is 20 to 21)
07699 H22 (specific code)
07700-07854 Hnnyyyy (where nn is 25 to 27)
07855 H28 (specific code)
07856-08007 Hnnyyyy (where nn to 30 to 31)
08008 H32 (specific code)
08009-08312 Hnnyyyy (where nn is 33 to 35)
08313 H36 (specific code)
08314-08608 Hnnyyyy (where nn is 40)
08609 H42 (specific code)
08610-08829 Hnnyyyy (where nn is 43 to 44)
08830-08951 Hnnyyyy (where nn is 46 to 47)
08952-08989 Hnnyyyy (where nn is 49)
08990-09260 Hnnyyyy (where nn is 50 to 55)
09261-09280 Hnnyyyy (where nn is 57)
09281-09539 Hnnyyyy (where nn is 59 to 62)
09540-09919 Hnnyyyy (where nn is 65 to 75)
09920-10027 Hnnyyyy (where nn is 80 to 83)
10028-10203 Hnnyyyy (where nn is 90 to 95)

10204-10213 Innyyyy (where nn is 00 to 02)
10214-10259 Innyyyy (where nn is 05 to 13)
10260-10265 Innyyyy (where nn is 15)
10266-10388 Innyyyy (where nn is 20 to 28)
10389-10538 Innyyyy (wnere nn is 30 to 52)
10539-10679 Innyyyy (where nn is 60 to 63)
10680-11648 Innyyyy (where nn is 65 to 83)
11649-11729 Innyyyy (where nn is 85 to 89)
11730-11790 Innyyyy (where nn is 95 to 99)

11791-11844 Jnnyyyy (where nn is 00 to 06)
11845-11910 Jnnyyyy (where nn is 09 to 18)
11911-11926 Jnnyyyy (where nn is 20 to 21)
11927 J22 specific code)
11928-12037 Jnnyyyy (where nn is 30 to 45)
12038-12041 J47yyyy
12042-12093 Jnnyyyy (where nn is 60 to 70)
12094-12098 Jnnyyyy (where nn is 80 to 82)
12099-12185 Jnnyyyy (where nn is 84 to 86)
12186-12211 Jnnyyyy (where nn is 90 to 96)
12212-12226 Jnnyyyy (where nn is 98 to 99)

12227-12303 Knnyyyy (where nn is 00 to 06)
12304-12394 Knnyyyy (where nn is 08 to 09)
12395-12445 Knnyyyy (where nn is 11 to 14)
12446-12471 Knnyyyy (where nn is 20 to 23)
12472-12558 Knnyyyy (where nn is 25 to 31)
12559-12564 K35yyyy
12565 K36
12566 K37
12567-12573 K38yyyy
12574-12637 Knnyyyy (where nn is 40 to 46)
12638-12747 Knnyyyy (where nn is 50 to 52)
12748-12883 Knnyyyy (where nn is 55 to 68)
12884-12960 Knnyyyy (where nn is 70 to 76)
12961 K77
12962-13033 Knnyyyy (where nn is 80 to 83)
13034-13047 Knnyyyy (where nn is 85 to 86)
13048 K87
13049-13090 Knnyyyy (where nn is 90 to 92)
13091-13122 Knnyyyy (where nn is 94 to 95)

13123-13319 Lnnyyyy (where nn is 00 to 05)
13320-13327 L08yyyy
13328-13358 Lnnyyyy (where nn is 10 to 13)
13359 L14
13360-13436 Lnnyyyy (where nn is 20 to 30)
13437-13475 Lnnyyyy (where nn is 40 to 44)
13476 L45
13477-13553 Lnnyyyy (where nn is 49 to 60)
13554 L62
13555-13590 Lnnyyyy (where nn is 63 to 68)
13591-13654 Lnnyyyy (where nn is 70 to 76)
13655-13909 Lnnyyyy (where nn is 80 to 95)
13910-14702 Lnnyyyy (where nn is 97 to 99)

14703-14397 Mnnyyyy (where nn is 00 to 02)
14398-15005 Mnnyyyy (where nn is 05 to 08)
15006-15406 M1A0yyyy to M1A4yyyy
15407-15409 M1A9yyyy
15410-17213 Mnnyyyy (where nn is 10 to 27)
17214-17299 Mnnyyyy (where nn is 30 to 36)
17300-17486 Mnnyyyy (where nn is 40 to 43)
17487-17848 Mnnyyyy (where nn is 45 to 51)
17849-17911 Mnnyyyy (where nn is 53 to 54)
17912-18460 Mnnyyyy (where nn is 60 to 63)
18461-18926 Mnnyyyy (where nn is 65 to 67)
18927-19221 Mnnyyyy (where nn is 70 to 72)
19222-19337 Mnnyyyy (where nn is 75 to 77)
19338-19742 Mnnyyyy (where nn is 79 to 81)
19743-22232 Mnnyyyy (where nn is 83 to 96)
22233-22333 Mnnyyyy (where nn is 99

22334-22421 Nnnyyyy (where nn is 00 to 07)
22422 N08yyyy
22423 N10yyyy
22424-22488 Nnnyyyy (where nn is 11 to 21)
22489 N22
22490 N23
22491-22594 Nnnyyyy (where nn is 25 to 36)
22595 N37
22596-22747 Nnnyyyy (where nn is 39 to 53)
22748-22776 N60yyyy
22777 N61
22778 N62
22779 N63
22780-22798 Nnnyyyy (where nn is 64 to 65)
22799-22815 Nnnyyyy (where nn is 70 to 71)
22816 N72
22817-22826 N73yyyy
22827 N74
22828-22846 Nnnyyyy (where nn is 75 to 77)
22847-22923 Nnnyyyy (where nn is 80 to 85)
22924 N86
22925-23003 Nnnyyyy (where nn is 87 to 95)
23004 N96
23005-23059 Nnnyyyy (where nn is 97 to 99)

23060-23122 Onnyyyy (where nn is 00 to 04)
23123-23338 Onnyyyy (where nn is 07 to 16)
23339-23587 Onnyyyy (where nn is 20 to 26)
23588-24632 Onnyyyy (where nn is 28 to 36)
24633-25043 Onnyyyy (where nn is 40 to 48)
25044-25214 Onnyyyy (where nn is 60 to 67)
25215 N68
25216-25352 Onnyyyy (where nn is 69 to 75)
25353 N76
25354-25358 O77yyyy
25359 N80
25360 N82
25361 N85
25362-25502 Onnyyyy (where nn is 86 to 92)
25503 N94
25504-25705 Onnyyyy (where nn is 98 to 99)
25706-25746 O9Ayyyy

25747-25836 Pnnyyyy (where nn is 00 to 05)
25837-25874 Pnnyyyy (where nn is 07 to 08)
25875 P09
25876-25926 Pnnyyyy (where nn is 10 to 15)
25927-25931 Pnnyyyy (where nn is 19)
25932-26005 Pnnyyyy (where nn is 22 to 29)
26006-26045 Pnnyyyy (where nn is 35 to 39)
26046-26070 Pnnyyyy (where nn is 50 to 52)
26071 P53
26072-26115 Pnnyyyy (where nn is 54 to 59)
26116 P60
26117-26126 Pnnyyyy (where nn is 61)
26127-26148 Pnnyyyy (where nn is 70 to 72)
26149-26158 Pnnyyyy (where nn is 74)
26159-26179 Pnnyyyy (where nn is 76 to 78)
26180-26188 Pnnyyyy (where nn is 80 to 81)
26189-26200 P83yyyy
26201 P84
26202 P90
26203-26250 Pnnyyyy (where nn is 91 to 96)

26251-26303 Qnnyyyy (where nn is 00 to 07)
26304-26375 Qnnyyyy (where nn is 10 to 18)
26376-26466 Qnnyyyy (where nn is 20 to 28)
26467-26588 Qnnyyyy (where nn is 30 to 45)
26589-26688 Qnnyyyy (where nn is 50 to 56)
26689-27106 Qnnyyyy (where nn is 60 to 87)
27107-27155 Qnnyyyy (where nn is 89 to 93)
27156-27194 Qnnyyyy (where nn is 95 to 99)

27195-27204 Rnnyyyy (where nn is 00 to 01)
27205-27215 Rnnyyyy (where nn is 03 to 04)
27216 R05
27217-27244 Rnnyyyy (where nn is 06 to 07)
27245-27299 Rnnyyyy (where nn is 09 to 11)
27300 R12
27301-27323 Rnnyyyy (where nn is 13 to 16)
27324 R17
27325-27364 Rnnyyyy (where nn is 18 to 20)
27365 R21
27366-27388 Rnnyyyy (where nn is 22 to 23)
27389-27407 Rnnyyyy (where nn is 25 to 27)
27408-27435 Rnnyyyy (where nn is 29 to 31)
27436 R32
27437-27441 Rnnyyyy (where nn is 33)
27442 R34
27443-27449 Rnnyyyy (where nn is 35 to 36)
27450 R37
27451-27588 Rnnyyyy (where nn is 39 to 41)
27589 R42
27590-27667 Rnnyyyy (where nn is 43 to 50)
27668 R51
27669 R52
27670-27677 R53yyyy
27678 R54
27679 R55
27680-27690 Rnnyyyy (where nn is 56 to 57)
27671 R58
27672-27699 Rnnyyyy (where nn is 59 to 60)
27700 R61
27701-27717 Rnnyyyy (where nn is 62 to 63)
27718 R64
27719-27725 R65yyyy
27726-27740 R68yyyy
27741 R69
27742-27747 Rnnyyyy (where nn is 70 to 71)
27748-27757 Rnnyyyy (where nn is 73 to 74)
27758 R75
27759-27801 Rnnyyyy (where nn is 76 to 80)
27802 R81
27803-27980 Rnnyyyy (where nn is 82 to 94)
27981-27985 R97yyyy
27986 R99

27987-31729 Snnyyyy (where nn is 00 to 17)
31730-66650 Snnyyyy (where nn is 19 to 99)

66651 T07
66652-70623 Tnnyyyy (where nn is 14 to 28)
70624-71082 Tnnyyyy (where nn is 30 to 34)
71083-78125 Tnnyyyy (where nn is 36 to 71)
78126-78306 Tnnyyyy (where nn is 73 to 76)
78307-80560 Tnnyyyy (where nn is 78 to 88)

80561-81098 Vnnyyyy (where nn is 00 to 06)
81099-85747 Vnnyyyy (where nn is 09 to 99)

85748-85800 Wnnyyyy (where nn is 00 to 01)
85801-86713 Wnnyyyy (where nn is 03 to 40)
86714-86722 W42yyyy
86723-86748 Wnnyyyy (where nn is 45 to 46)
86749-87259 Wnnyyyy (where nn is 49 to 62)
87260-87267 Wnnyyyy (where nn is 64 to 65)
87268-87271 W67yyyy
87272-87275 W69yyyy
87276-87283 Wnnyyyy (where nn is 73 to 74)
87284-87300 Wnnyyyy (where nn is 85 to 86)
 87301-87347 Wnnyyyy (where nn is 88 to 90)
87348-87422 Wnnyyyy (where nn is 92 to 94)
87423-87426 W99yyyy

87427-87551 Xnnyyyy (where nn is 00 to 06)
87552-87595 X08yyyy
87596-87680 Xnnyyyy (where nn is 10 to 19)
87681-87692 Xnnyyyy (where nn is 30 to 32)
87693-87765 Xnnyyyy (where nn is 34 to 39)
87766-87769 X52yyyy
87770-87773 X58yyyy
87774-87954 Xnnyyyy (where nn is 71 to 83)
87959-88105 Xnnyyyy (where nn is 92 to 99)

88106-88152 Ynnyyyy (where nn is 00 to 04)
88153-88219 Ynnyyyy (where nn is 07 to 08)
88220 Y09
88221-88365 Ynnyyyy (where nn is 21 to 33)
88366-89663 Ynnyyyy (where nn is 35 to 38)
89664-89699 Ynnyyyy (where nn is 62 to 65)
89700 Y66
89701 Y69
89702-89797 Ynnyyyy (where nn is 70 to 84)
89798-89808 Y90yyyy
89809-90182 Ynnyyyy (where nn is 92 to 93)
90183 Y95
90184-90189 Y99yyyy

90190-90283 Znnyyyy (where nn is 00 to 04)
90284 Z08
90285 Z09
90286-90414 Znnyyyy (where nn is 10 to 18)
90415-90435 Z20yyyy
90436 Z21
90437-90458 Z22yyyy
90459 Z23
90460-90477 Z28yyyy
90478-90552 Znnyyyy (where nn is 30 to 34)
90553 Z36
90554-90597 Z3Ayyyy
90598-90800 Znnyyyy (where nn is 37 to 49)
90801-90855 Znnyyyy (where nn is 51 to 53)
90856-90889 Znnyyyy (where nn is 55 to 57)
90890-90908 Znnyyyy (where nn is 59 to 60)
90909-90960 Znnyyyy (where nn is 62 to 65)
90961 Z66
90962-91737 Znnyyyy (where nn is 67 to 99)

Bill Parker (wp02855 () gmail com)


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: