[Snort-devel] Sensitive Data Preprocessor

Joshua Kinard kumba at ...2185...
Tue Feb 21 20:08:28 EST 2012


This is a curious little preprocessor, so I decided to play with it a bit,
and have a few questions...

1. For the 'mask_output' directive, where does that actually operate?  I
tested out some sample e-mail traffic I generated with an SSN in it, and in
both the console output and the raw packet output, the SSN was clearly
visible, so I am dubious if this directive actually works as advertised.

Also, it says it will obfuscate the last four digits of credit card numbers.
 My experience has shown the opposite to be true, that the first 12 digits
(for Visa, MasterCard) are typically obfuscated out while leaving the last
four visible.  Should Snort mirror this?  Obfuscate the last 4 for SSN and
the first 12 for CC's?  Amex and other cards might need minor tweaks, as
they have a slightly different number format.



2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the US
Social Security Administration switched to a randomized SSN format that
deprecates the need for this file.  The last file that they issued was on
the above date:

http://www.socialsecurity.gov/employer/randomization.html
http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

So is this directive still needed?  Or would it make sense to incorporate
the final release into Snort and remove this directive?



3. No output from the alerts is logged.  I brought this issue up once before
when I reported that tcpdump files contain only the 24-byte PCAP header and
nothing else.  I have since ran into this issue while using file_data, too.
 So it seems to be something with the way preprocessor alerts are processed
that they are not logged to files in some cases.

I even tested unified2 output, and all I get is a 0-byte file written to my
log directory.  If I use -A full, and configure alert_full, then I get the
text of the alert and the IP/TCP headers only written out to a file, but no
application layer or payload.

This partially relates back to item #1, because I can't see what exactly
mask_output should be obfuscating.  so I am still confused on why Snort is
writing empty files out.  That still seems like a bug to me.


Here's the relevant parts of my config and test rules:

output log_tcpdump: log/snort.log
output alert_full: alert.full
output alert_unified2: filename alert.u2
output log_unified2: filename log.u2

preprocessor sensitive_data:  \
        mask_output  \
        ssn_file ssn-grps-20110624-final.csv

alert tcp any any -> any 25 (msg:"sd_pattern test smtp";
sd_pattern:1,us_social; sid:42000030; rev:1; gid:138;
classtype:policy-violation;)


Thanks!

-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120221/7f801fe5/attachment.sig>


More information about the Snort-devel mailing list