# [Snort-devel] [SNORT-DEVEL] iban.c/iban.h code for possible use in snort-2.9.7.0-alpha

Bill Parker wp02855 at ...2499...
Fri Mar 28 14:06:25 EDT 2014

```Hi All,

Attached to this email are two files:

iban.c and iban.h

Which allows the end user to input a string, have the string
checked for proper country code/check digit postioning per the IBAN
(International Banking Account Number) standard, then if that is
valid, checks the positions of the string for proper alphabetic,
numeric, or alphanumeric values.  If this test succeeds, then
the string is converted into a all numeric value (stored in a
character array), and then it is processed for check digits validity
per ISO/IRC 7064:2003 (modulo 97 math) per the following algorithm:

Modulo operation on IBAN

Any computer programming language or software package that is used to
compute D mod 97 directly must have the ability to handle integers of
more than 30 digits. In practice, this can only be done by software
that either supports arbitrary-precision arithmetic or that can handle
128 bit integers, features that are often not standard.

If the application software in use does not provide the ability to
handle integers of this size, the modulo operation can be performed
in a piece-wise manner (as is the case with the UN CEFACT TBG5
Javascript program).

Piece-wise calculation D mod 97 can be done in many ways. One such way
is as follows:

1. Starting from the leftmost digit of D, construct a number using
the first 9 digits and call it N.
2. Calculate N mod 97.
3. Construct a new 9-digit N from the above result (step 2) followed
by the next 7 digits of D. If there are fewer than 7 digits remaining
in D but at least one, then construct a new N, which will have less
than 9 digits, from the above result (step 2) followed by the remaining
digits of D.
4. Repeat steps 2-3 until all the digits of D have been processed.

The result of the final calculation in step 2 will be D mod 97 = N mod 97.

Example of IBAN check digit test

This uses the initial string example of a valid United Kingdom IBAN
string: GB82WEST12345698765432

Which when repositioned for the numeric conversion becomes:

WEST12345698765432GB82

When the above is converted to digits (A = 10, B = 11, C = 12, Z = 35)
the resulting number is D below.

In this example, the above algorithm for D mod 97 will be applied to
D = 3214282912345698765432161182. (The digits are colour-coded to aid
the description below.) If the result is one, the IBAN corresponding
to D passes the check digit test.

1. Construct N from the first 9 digits of D.
N = 321428291.
2. Calculate N mod 97 = 70.
3. Construct a new 9-digit N from the above result (step 2) followed
by the next 7 digits of D.
N = 702345698
4. Calculate N mod 97 = 29.
5. Construct a new 9-digit N from the above result (step 4) followed
by the next 7 digits of D.
N = 297654321
6. Calculate N mod 97 = 24.
7. Construct a new N from the above result (step 6) followed by the
remaining 5 digits of D.
N = 2461182
8. Calculate N mod 97 = 1.

>From step 8, the final result is D mod 97 = 1 and the IBAN has
passed this check digit test.

This code has been tested on both Codeblocks 12.11 (windows 7 ultimate
64-bit) and GCC 4.4.7 on CentOS 6.4 (64-bit).  Here is the output from
building on CentOS 6.4 with the following command:

[bill at ...3492... ~]\$ gcc -Wall -ansi -pedantic -O2 -o iban iban.c
[bill at ...3492... ~]\$ ./iban

The user input the string: GB82WEST12345698765432

The length of the string the user input is: 22

Match Found, Country Code is: GB, Country is United Kingdom...

Success: found digits in IBAN_STRING positions 3 and 4

Success: positions 5 thru 8 are alphabetic...

Success: positions 9 thru 22 are numeric...

The original buffer sent to function 'mod97chk' is:

WEST12345698765432GB82

The original buffer converted to all digits is:

3214282912345698765432161182

Warning: IBAN string - GB82WEST12345698765432 found in data stream
(cleartext)...

With modifications, this could be incorporated into the SDF preprocessor
in Snort 2.9.4.x and/or the DLP module in ClamAV 0.97.x or higher (more PII
data capability) :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140328/765afd16/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iban.c
Type: text/x-csrc
Size: 79606 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140328/765afd16/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iban.h
Type: text/x-chdr
Size: 7126 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140328/765afd16/attachment.h>
```