[Snort-sigs] Signature for credit card numbers

Cove Schneider cove at ...1957...
Thu Oct 9 15:27:05 EDT 2003

On Thursday, October 9, 2003, at 02:47 PM, Sean Perry wrote:

> Cove Schneider wrote:
>> Hello,
>> Has anyone attempted to make any signatures to try and catch credit 
>> card numbers? e.g. someone sending a CC number in an email, via FTP, 
>> P2P etc... Sending them insecurely, or even malicious intent... I'm 
>> interested in verifying that this isn't going on, of course.
>> Anyone have any thoughts on this?
> Well, let's see.
> A credit card number is 16 digits long (at least here in the US, maybe 
> not elsewhere).  The first number is 3 (amex),4 (visa),5 (master) or 6 
> (discover).
> So you need something that matches (in perl style regex): 
> '[3456]\d{15}' or '[3456]\d{3}(?:-\d{4}){3}'.  This covers the dashed 
> notation as well as the all scrunched style.  If they do '3456 5678 
> ...' it won't catch them.  The second regex could be replicated for 
> this though.
> That is a good start.  You could get fancy is you knew the algorithm 
> used to make the card numbers.  Also, American Express may not be 16 
> digits, I forget.  I know the other 3 always are.

Thanks for the info. I haven't read up enough on snort rules, does it 
support regex?


More information about the Snort-sigs mailing list