[Snort-devel] Possible new idea for PII/Sensitive Data in Snort

Emiliano Fausto emiliano.fausto at ...2499...
Wed Jun 25 15:10:39 EDT 2014


Hi Bill,

I think it could be an interesting stuff to do. If you need a practical
solution, you may generate a rules file definition with a little help of a
Python code, like this:

def genrules(base, min, max):
  setRules = ''
  for code in range(min, max+1):
    setRules += 'alert tcp any any -> any any (content:' + base + str(code)
+'; nocase; msg:"HIPPA Alert. Packet with ' + str(code) + 'detected.";)\n'
  return setRules

If you call this function with some of your example lines, let's take this
one:

print genrules('90598-90800Z', 37, 49)

It will return:

alert tcp any any -> any any (content:90598-90800Z37; nocase; msg:"HIPPA
Alert. Packet with 37 detected.";)
alert tcp any any -> any any (content:90598-90800Z38; nocase; msg:"HIPPA
Alert. Packet with 38 detected.";)
alert tcp any any -> any any (content:90598-90800Z39; nocase; msg:"HIPPA
Alert. Packet with 39 detected.";)
alert tcp any any -> any any (content:90598-90800Z40; nocase; msg:"HIPPA
Alert. Packet with 40 detected.";)
alert tcp any any -> any any (content:90598-90800Z41; nocase; msg:"HIPPA
Alert. Packet with 41 detected.";)
alert tcp any any -> any any (content:90598-90800Z42; nocase; msg:"HIPPA
Alert. Packet with 42 detected.";)
alert tcp any any -> any any (content:90598-90800Z43; nocase; msg:"HIPPA
Alert. Packet with 43 detected.";)
alert tcp any any -> any any (content:90598-90800Z44; nocase; msg:"HIPPA
Alert. Packet with 44 detected.";)
alert tcp any any -> any any (content:90598-90800Z45; nocase; msg:"HIPPA
Alert. Packet with 45 detected.";)
alert tcp any any -> any any (content:90598-90800Z46; nocase; msg:"HIPPA
Alert. Packet with 46 detected.";)
alert tcp any any -> any any (content:90598-90800Z47; nocase; msg:"HIPPA
Alert. Packet with 47 detected.";)
alert tcp any any -> any any (content:90598-90800Z48; nocase; msg:"HIPPA
Alert. Packet with 48 detected.";)
alert tcp any any -> any any (content:90598-90800Z49; nocase; msg:"HIPPA
Alert. Packet with 49 detected.";)


You may then call this function for each of your lines and append all of
them into a file called hippa.rules. (Or you can even generate a .py
calling all of them and use an output to a file from within the same python
code).

When you have your rules definition file ready, you can import it in your
snort.conf file.

Hope it helps!
Emiliano



2014-06-25 14:59 GMT-03:00 Bill Parker <wp02855 at ...2499...>:

> Hi All,
>
>     The information below is what I broke down to see if it would be useful
> to add new rules to snort to detect medical diagnosis codes (ICD-10 format)
> since this being transmitted in cleartext could be a PII/sensitive data or
> potential HIPPA violate (data leakage).
>
> I would appreciate some suggestions on implementing this (either with PCRE
> in snort rules) or would making a new preprocessor or modifying an existing
> one be more in-line?
>
> FY 2015 ICD-10 Codes PCRE/Pattern Match Values
>
> This indicates POTENTIAL ICD-10 codes transmitted in cleartext
> (think possible HIPPA violation, PII/Sensitive Data)
>
> note: yyyy values can be alpha-numeric (and optional)
>
> 00001-00688 Annyyyy (where nn is 00 to 99)
>
> 00689-01292 Bnnyyyy (where nn is 00 to 99)
>
> 01293-02038 Cnnyyyy (where nn is 00 to 75)
> 02039-02076 C7xyyyy (where x is 'A' or 'B') - non case sensitive
> 02077-02717 Cnnyyyy (where nn is 76 to 96)
>
> 02718-03615 Dnnyyyy (where nn is 00 to 89)
>
> 03616-04494 Ennyyyy (where nn is 00 to 89)
>
> 04495-05421 Fnnyyyy (where nn is 01 to 99)
>
> 05422-06213 Gnnyyyy (where nn is 00 to 99)
>
> 06214-06867 Hnnyyyy (where nn is 00 to 05)
> 06868-07811 Hnnyyyy (where nn is 10 to 11)
> 07812-07522 Hnnyyyy (where nn is 15 to 18)
> 07523-07698 Hnnyyyy (where nn is 20 to 21)
> 07699 H22 (specific code)
> 07700-07854 Hnnyyyy (where nn is 25 to 27)
> 07855 H28 (specific code)
> 07856-08007 Hnnyyyy (where nn to 30 to 31)
> 08008 H32 (specific code)
> 08009-08312 Hnnyyyy (where nn is 33 to 35)
> 08313 H36 (specific code)
> 08314-08608 Hnnyyyy (where nn is 40)
> 08609 H42 (specific code)
> 08610-08829 Hnnyyyy (where nn is 43 to 44)
> 08830-08951 Hnnyyyy (where nn is 46 to 47)
> 08952-08989 Hnnyyyy (where nn is 49)
> 08990-09260 Hnnyyyy (where nn is 50 to 55)
> 09261-09280 Hnnyyyy (where nn is 57)
> 09281-09539 Hnnyyyy (where nn is 59 to 62)
> 09540-09919 Hnnyyyy (where nn is 65 to 75)
> 09920-10027 Hnnyyyy (where nn is 80 to 83)
> 10028-10203 Hnnyyyy (where nn is 90 to 95)
>
> 10204-10213 Innyyyy (where nn is 00 to 02)
> 10214-10259 Innyyyy (where nn is 05 to 13)
> 10260-10265 Innyyyy (where nn is 15)
> 10266-10388 Innyyyy (where nn is 20 to 28)
> 10389-10538 Innyyyy (wnere nn is 30 to 52)
> 10539-10679 Innyyyy (where nn is 60 to 63)
> 10680-11648 Innyyyy (where nn is 65 to 83)
> 11649-11729 Innyyyy (where nn is 85 to 89)
> 11730-11790 Innyyyy (where nn is 95 to 99)
>
> 11791-11844 Jnnyyyy (where nn is 00 to 06)
> 11845-11910 Jnnyyyy (where nn is 09 to 18)
> 11911-11926 Jnnyyyy (where nn is 20 to 21)
> 11927 J22 specific code)
> 11928-12037 Jnnyyyy (where nn is 30 to 45)
> 12038-12041 J47yyyy
> 12042-12093 Jnnyyyy (where nn is 60 to 70)
> 12094-12098 Jnnyyyy (where nn is 80 to 82)
> 12099-12185 Jnnyyyy (where nn is 84 to 86)
> 12186-12211 Jnnyyyy (where nn is 90 to 96)
> 12212-12226 Jnnyyyy (where nn is 98 to 99)
>
> 12227-12303 Knnyyyy (where nn is 00 to 06)
> 12304-12394 Knnyyyy (where nn is 08 to 09)
> 12395-12445 Knnyyyy (where nn is 11 to 14)
> 12446-12471 Knnyyyy (where nn is 20 to 23)
> 12472-12558 Knnyyyy (where nn is 25 to 31)
> 12559-12564 K35yyyy
> 12565 K36
> 12566 K37
> 12567-12573 K38yyyy
> 12574-12637 Knnyyyy (where nn is 40 to 46)
> 12638-12747 Knnyyyy (where nn is 50 to 52)
> 12748-12883 Knnyyyy (where nn is 55 to 68)
> 12884-12960 Knnyyyy (where nn is 70 to 76)
> 12961 K77
> 12962-13033 Knnyyyy (where nn is 80 to 83)
> 13034-13047 Knnyyyy (where nn is 85 to 86)
> 13048 K87
> 13049-13090 Knnyyyy (where nn is 90 to 92)
> 13091-13122 Knnyyyy (where nn is 94 to 95)
>
> 13123-13319 Lnnyyyy (where nn is 00 to 05)
> 13320-13327 L08yyyy
> 13328-13358 Lnnyyyy (where nn is 10 to 13)
> 13359 L14
> 13360-13436 Lnnyyyy (where nn is 20 to 30)
> 13437-13475 Lnnyyyy (where nn is 40 to 44)
> 13476 L45
> 13477-13553 Lnnyyyy (where nn is 49 to 60)
> 13554 L62
> 13555-13590 Lnnyyyy (where nn is 63 to 68)
> 13591-13654 Lnnyyyy (where nn is 70 to 76)
> 13655-13909 Lnnyyyy (where nn is 80 to 95)
> 13910-14702 Lnnyyyy (where nn is 97 to 99)
>
> 14703-14397 Mnnyyyy (where nn is 00 to 02)
> 14398-15005 Mnnyyyy (where nn is 05 to 08)
> 15006-15406 M1A0yyyy to M1A4yyyy
> 15407-15409 M1A9yyyy
> 15410-17213 Mnnyyyy (where nn is 10 to 27)
> 17214-17299 Mnnyyyy (where nn is 30 to 36)
> 17300-17486 Mnnyyyy (where nn is 40 to 43)
> 17487-17848 Mnnyyyy (where nn is 45 to 51)
> 17849-17911 Mnnyyyy (where nn is 53 to 54)
> 17912-18460 Mnnyyyy (where nn is 60 to 63)
> 18461-18926 Mnnyyyy (where nn is 65 to 67)
> 18927-19221 Mnnyyyy (where nn is 70 to 72)
> 19222-19337 Mnnyyyy (where nn is 75 to 77)
> 19338-19742 Mnnyyyy (where nn is 79 to 81)
> 19743-22232 Mnnyyyy (where nn is 83 to 96)
> 22233-22333 Mnnyyyy (where nn is 99
>
> 22334-22421 Nnnyyyy (where nn is 00 to 07)
> 22422 N08yyyy
> 22423 N10yyyy
> 22424-22488 Nnnyyyy (where nn is 11 to 21)
> 22489 N22
> 22490 N23
> 22491-22594 Nnnyyyy (where nn is 25 to 36)
> 22595 N37
> 22596-22747 Nnnyyyy (where nn is 39 to 53)
> 22748-22776 N60yyyy
> 22777 N61
> 22778 N62
> 22779 N63
> 22780-22798 Nnnyyyy (where nn is 64 to 65)
> 22799-22815 Nnnyyyy (where nn is 70 to 71)
> 22816 N72
> 22817-22826 N73yyyy
> 22827 N74
> 22828-22846 Nnnyyyy (where nn is 75 to 77)
> 22847-22923 Nnnyyyy (where nn is 80 to 85)
> 22924 N86
> 22925-23003 Nnnyyyy (where nn is 87 to 95)
> 23004 N96
> 23005-23059 Nnnyyyy (where nn is 97 to 99)
>
> 23060-23122 Onnyyyy (where nn is 00 to 04)
> 23123-23338 Onnyyyy (where nn is 07 to 16)
> 23339-23587 Onnyyyy (where nn is 20 to 26)
> 23588-24632 Onnyyyy (where nn is 28 to 36)
> 24633-25043 Onnyyyy (where nn is 40 to 48)
> 25044-25214 Onnyyyy (where nn is 60 to 67)
> 25215 N68
> 25216-25352 Onnyyyy (where nn is 69 to 75)
> 25353 N76
> 25354-25358 O77yyyy
> 25359 N80
> 25360 N82
> 25361 N85
> 25362-25502 Onnyyyy (where nn is 86 to 92)
> 25503 N94
> 25504-25705 Onnyyyy (where nn is 98 to 99)
> 25706-25746 O9Ayyyy
>
> 25747-25836 Pnnyyyy (where nn is 00 to 05)
> 25837-25874 Pnnyyyy (where nn is 07 to 08)
> 25875 P09
> 25876-25926 Pnnyyyy (where nn is 10 to 15)
> 25927-25931 Pnnyyyy (where nn is 19)
> 25932-26005 Pnnyyyy (where nn is 22 to 29)
> 26006-26045 Pnnyyyy (where nn is 35 to 39)
> 26046-26070 Pnnyyyy (where nn is 50 to 52)
> 26071 P53
> 26072-26115 Pnnyyyy (where nn is 54 to 59)
> 26116 P60
> 26117-26126 Pnnyyyy (where nn is 61)
> 26127-26148 Pnnyyyy (where nn is 70 to 72)
> 26149-26158 Pnnyyyy (where nn is 74)
> 26159-26179 Pnnyyyy (where nn is 76 to 78)
> 26180-26188 Pnnyyyy (where nn is 80 to 81)
> 26189-26200 P83yyyy
> 26201 P84
> 26202 P90
> 26203-26250 Pnnyyyy (where nn is 91 to 96)
>
> 26251-26303 Qnnyyyy (where nn is 00 to 07)
> 26304-26375 Qnnyyyy (where nn is 10 to 18)
> 26376-26466 Qnnyyyy (where nn is 20 to 28)
> 26467-26588 Qnnyyyy (where nn is 30 to 45)
> 26589-26688 Qnnyyyy (where nn is 50 to 56)
> 26689-27106 Qnnyyyy (where nn is 60 to 87)
> 27107-27155 Qnnyyyy (where nn is 89 to 93)
> 27156-27194 Qnnyyyy (where nn is 95 to 99)
>
> 27195-27204 Rnnyyyy (where nn is 00 to 01)
> 27205-27215 Rnnyyyy (where nn is 03 to 04)
> 27216 R05
> 27217-27244 Rnnyyyy (where nn is 06 to 07)
> 27245-27299 Rnnyyyy (where nn is 09 to 11)
> 27300 R12
> 27301-27323 Rnnyyyy (where nn is 13 to 16)
> 27324 R17
> 27325-27364 Rnnyyyy (where nn is 18 to 20)
> 27365 R21
> 27366-27388 Rnnyyyy (where nn is 22 to 23)
> 27389-27407 Rnnyyyy (where nn is 25 to 27)
> 27408-27435 Rnnyyyy (where nn is 29 to 31)
> 27436 R32
> 27437-27441 Rnnyyyy (where nn is 33)
> 27442 R34
> 27443-27449 Rnnyyyy (where nn is 35 to 36)
> 27450 R37
> 27451-27588 Rnnyyyy (where nn is 39 to 41)
> 27589 R42
> 27590-27667 Rnnyyyy (where nn is 43 to 50)
> 27668 R51
> 27669 R52
> 27670-27677 R53yyyy
> 27678 R54
> 27679 R55
> 27680-27690 Rnnyyyy (where nn is 56 to 57)
> 27671 R58
> 27672-27699 Rnnyyyy (where nn is 59 to 60)
> 27700 R61
> 27701-27717 Rnnyyyy (where nn is 62 to 63)
> 27718 R64
> 27719-27725 R65yyyy
> 27726-27740 R68yyyy
> 27741 R69
> 27742-27747 Rnnyyyy (where nn is 70 to 71)
> 27748-27757 Rnnyyyy (where nn is 73 to 74)
> 27758 R75
> 27759-27801 Rnnyyyy (where nn is 76 to 80)
> 27802 R81
> 27803-27980 Rnnyyyy (where nn is 82 to 94)
> 27981-27985 R97yyyy
> 27986 R99
>
> 27987-31729 Snnyyyy (where nn is 00 to 17)
> 31730-66650 Snnyyyy (where nn is 19 to 99)
>
> 66651 T07
> 66652-70623 Tnnyyyy (where nn is 14 to 28)
> 70624-71082 Tnnyyyy (where nn is 30 to 34)
> 71083-78125 Tnnyyyy (where nn is 36 to 71)
> 78126-78306 Tnnyyyy (where nn is 73 to 76)
> 78307-80560 Tnnyyyy (where nn is 78 to 88)
>
> 80561-81098 Vnnyyyy (where nn is 00 to 06)
> 81099-85747 Vnnyyyy (where nn is 09 to 99)
>
> 85748-85800 Wnnyyyy (where nn is 00 to 01)
> 85801-86713 Wnnyyyy (where nn is 03 to 40)
> 86714-86722 W42yyyy
> 86723-86748 Wnnyyyy (where nn is 45 to 46)
> 86749-87259 Wnnyyyy (where nn is 49 to 62)
> 87260-87267 Wnnyyyy (where nn is 64 to 65)
> 87268-87271 W67yyyy
> 87272-87275 W69yyyy
> 87276-87283 Wnnyyyy (where nn is 73 to 74)
> 87284-87300 Wnnyyyy (where nn is 85 to 86)
>  87301-87347 Wnnyyyy (where nn is 88 to 90)
> 87348-87422 Wnnyyyy (where nn is 92 to 94)
> 87423-87426 W99yyyy
>
> 87427-87551 Xnnyyyy (where nn is 00 to 06)
> 87552-87595 X08yyyy
> 87596-87680 Xnnyyyy (where nn is 10 to 19)
> 87681-87692 Xnnyyyy (where nn is 30 to 32)
> 87693-87765 Xnnyyyy (where nn is 34 to 39)
> 87766-87769 X52yyyy
> 87770-87773 X58yyyy
> 87774-87954 Xnnyyyy (where nn is 71 to 83)
> 87959-88105 Xnnyyyy (where nn is 92 to 99)
>
> 88106-88152 Ynnyyyy (where nn is 00 to 04)
> 88153-88219 Ynnyyyy (where nn is 07 to 08)
> 88220 Y09
> 88221-88365 Ynnyyyy (where nn is 21 to 33)
> 88366-89663 Ynnyyyy (where nn is 35 to 38)
> 89664-89699 Ynnyyyy (where nn is 62 to 65)
> 89700 Y66
> 89701 Y69
> 89702-89797 Ynnyyyy (where nn is 70 to 84)
> 89798-89808 Y90yyyy
> 89809-90182 Ynnyyyy (where nn is 92 to 93)
> 90183 Y95
> 90184-90189 Y99yyyy
>
> 90190-90283 Znnyyyy (where nn is 00 to 04)
> 90284 Z08
> 90285 Z09
> 90286-90414 Znnyyyy (where nn is 10 to 18)
> 90415-90435 Z20yyyy
> 90436 Z21
> 90437-90458 Z22yyyy
> 90459 Z23
> 90460-90477 Z28yyyy
> 90478-90552 Znnyyyy (where nn is 30 to 34)
> 90553 Z36
> 90554-90597 Z3Ayyyy
> 90598-90800 Znnyyyy (where nn is 37 to 49)
> 90801-90855 Znnyyyy (where nn is 51 to 53)
> 90856-90889 Znnyyyy (where nn is 55 to 57)
> 90890-90908 Znnyyyy (where nn is 59 to 60)
> 90909-90960 Znnyyyy (where nn is 62 to 65)
> 90961 Z66
> 90962-91737 Znnyyyy (where nn is 67 to 99)
>
> Bill Parker (wp02855 at ...2499...)
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140625/6c854579/attachment.html>


More information about the Snort-devel mailing list