[Snort-devel] Sensitive Data Preprocessor

Bhagya Bantwal bbantwal at ...402...
Mon Mar 12 12:06:55 EDT 2012


Joshua,

Thanks for your email.

Sorry for the late reply. Comments inline.


On Tue, Feb 21, 2012 at 8:08 PM, Joshua Kinard <kumba at ...2185...> wrote:

>
> This is a curious little preprocessor, so I decided to play with it a bit,
> and have a few questions...
>
> 1. For the 'mask_output' directive, where does that actually operate?  I
> tested out some sample e-mail traffic I generated with an SSN in it, and in
> both the console output and the raw packet output, the SSN was clearly
> visible, so I am dubious if this directive actually works as advertised.
>
> Also, it says it will obfuscate the last four digits of credit card
> numbers.
>  My experience has shown the opposite to be true, that the first 12 digits
> (for Visa, MasterCard) are typically obfuscated out while leaving the last
> four visible.  Should Snort mirror this?  Obfuscate the last 4 for SSN and
> the first 12 for CC's?  Amex and other cards might need minor tweaks, as
> they have a slightly different number format.
>

The README.sensitive_data says

   mask_output
        This option replaces all but the last 4 digits of a detected PII
with
        "X"s. This is only done on credit card & Social Security numbers,
where
        an organization's regulations may prevent them from seeing
unencrypted
        numbers.

What doc are you referring to?

>
>
>
> 2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the
> US
> Social Security Administration switched to a randomized SSN format that
> deprecates the need for this file.  The last file that they issued was on
> the above date:
>
> http://www.socialsecurity.gov/employer/randomization.html
> http://www.socialsecurity.gov/employer/ssnvhighgroup.htm
>
> So is this directive still needed?  Or would it make sense to incorporate
> the final release into Snort and remove this directive?
>
>
>
We have filed a bug to fix this. Thank you for pointing it out.

>
> 3. No output from the alerts is logged.  I brought this issue up once
> before
> when I reported that tcpdump files contain only the 24-byte PCAP header and
> nothing else.  I have since ran into this issue while using file_data, too.
>  So it seems to be something with the way preprocessor alerts are processed
> that they are not logged to files in some cases.
>
> I even tested unified2 output, and all I get is a 0-byte file written to my
> log directory.  If I use -A full, and configure alert_full, then I get the
> text of the alert and the IP/TCP headers only written out to a file, but no
> application layer or payload.
>
> This partially relates back to item #1, because I can't see what exactly
> mask_output should be obfuscating.  so I am still confused on why Snort is
> writing empty files out.  That still seems like a bug to me.
>
>
> Here's the relevant parts of my config and test rules:
>
> output log_tcpdump: log/snort.log
> output alert_full: alert.full
> output alert_unified2: filename alert.u2
> output log_unified2: filename log.u2
>
> preprocessor sensitive_data:  \
>        mask_output  \
>        ssn_file ssn-grps-20110624-final.csv
>
> alert tcp any any -> any 25 (msg:"sd_pattern test smtp";
> sd_pattern:1,us_social; sid:42000030; rev:1; gid:138;
> classtype:policy-violation;)
>
>
>
A bug has been filed to address this. Can you send me the pcap and conf you
used?

> Thanks!
>
> --
> Joshua Kinard
> Gentoo/MIPS
> kumba at ...2185...
> 4096R/D25D95E3 2011-03-28
>
> "The past tempts us, the present confuses us, the future frightens us.  And
> our lives slip away, moment by moment, lost in that vast, terrible
> in-between."
>
> --Emperor Turhan, Centauri Republic
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120312/0b565d2a/attachment.html>


More information about the Snort-devel mailing list