[Snort-sigs] Signature for credit card numbers

Sean Perry sean.perry at ...1958...
Thu Oct 9 14:49:01 EDT 2003


Cove Schneider wrote:

> Hello,
> 
> Has anyone attempted to make any signatures to try and catch credit card 
> numbers? e.g. someone sending a CC number in an email, via FTP, P2P 
> etc... Sending them insecurely, or even malicious intent... I'm 
> interested in verifying that this isn't going on, of course.
> 
> Anyone have any thoughts on this?
> 

Well, let's see.

A credit card number is 16 digits long (at least here in the US, maybe 
not elsewhere).  The first number is 3 (amex),4 (visa),5 (master) or 6 
(discover).

So you need something that matches (in perl style regex): '[3456]\d{15}' 
or '[3456]\d{3}(?:-\d{4}){3}'.  This covers the dashed notation as well 
as the all scrunched style.  If they do '3456 5678 ...' it won't catch 
them.  The second regex could be replicated for this though.

That is a good start.  You could get fancy is you knew the algorithm 
used to make the card numbers.  Also, American Express may not be 16 
digits, I forget.  I know the other 3 always are.






More information about the Snort-sigs mailing list