[Snort-devel] Sensitive Data Preprocessor
bbantwal at ...402...
Mon Mar 12 12:06:55 EDT 2012
Thanks for your email.
Sorry for the late reply. Comments inline.
On Tue, Feb 21, 2012 at 8:08 PM, Joshua Kinard <kumba at ...2185...> wrote:
> This is a curious little preprocessor, so I decided to play with it a bit,
> and have a few questions...
> 1. For the 'mask_output' directive, where does that actually operate? I
> tested out some sample e-mail traffic I generated with an SSN in it, and in
> both the console output and the raw packet output, the SSN was clearly
> visible, so I am dubious if this directive actually works as advertised.
> Also, it says it will obfuscate the last four digits of credit card
> My experience has shown the opposite to be true, that the first 12 digits
> (for Visa, MasterCard) are typically obfuscated out while leaving the last
> four visible. Should Snort mirror this? Obfuscate the last 4 for SSN and
> the first 12 for CC's? Amex and other cards might need minor tweaks, as
> they have a slightly different number format.
The README.sensitive_data says
This option replaces all but the last 4 digits of a detected PII
"X"s. This is only done on credit card & Social Security numbers,
an organization's regulations may prevent them from seeing
What doc are you referring to?
> 2. For the 'ssn_file' directive, it looks like that as of 06/24/2011, the
> Social Security Administration switched to a randomized SSN format that
> deprecates the need for this file. The last file that they issued was on
> the above date:
> So is this directive still needed? Or would it make sense to incorporate
> the final release into Snort and remove this directive?
We have filed a bug to fix this. Thank you for pointing it out.
> 3. No output from the alerts is logged. I brought this issue up once
> when I reported that tcpdump files contain only the 24-byte PCAP header and
> nothing else. I have since ran into this issue while using file_data, too.
> So it seems to be something with the way preprocessor alerts are processed
> that they are not logged to files in some cases.
> I even tested unified2 output, and all I get is a 0-byte file written to my
> log directory. If I use -A full, and configure alert_full, then I get the
> text of the alert and the IP/TCP headers only written out to a file, but no
> application layer or payload.
> This partially relates back to item #1, because I can't see what exactly
> mask_output should be obfuscating. so I am still confused on why Snort is
> writing empty files out. That still seems like a bug to me.
> Here's the relevant parts of my config and test rules:
> output log_tcpdump: log/snort.log
> output alert_full: alert.full
> output alert_unified2: filename alert.u2
> output log_unified2: filename log.u2
> preprocessor sensitive_data: \
> mask_output \
> ssn_file ssn-grps-20110624-final.csv
> alert tcp any any -> any 25 (msg:"sd_pattern test smtp";
> sd_pattern:1,us_social; sid:42000030; rev:1; gid:138;
A bug has been filed to address this. Can you send me the pcap and conf you
> Joshua Kinard
> kumba at ...2185...
> 4096R/D25D95E3 2011-03-28
> "The past tempts us, the present confuses us, the future frightens us. And
> our lives slip away, moment by moment, lost in that vast, terrible
> --Emperor Turhan, Centauri Republic
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel