[Snort-sigs] Signature for credit card numbers

Cove Schneider cove at ...1957...
Sun Oct 12 20:03:03 EDT 2003


SS No. is also a good idea. Thanks.

Cove

On Friday, October 10, 2003, at 06:00 PM, Eric Kuhnke wrote:

> However, this might be a constructive use of time for an ISP seeking 
> to protect its customers...  Notice the rash of fake-ebay, fake-bank, 
> fake-credit-card spams with "We require you to verify your 
> information, please input your social security number, CC#, address 
> etc"
>
> A lot of these use masking of URLs in spam (thanks, MS Outlook!) and 
> link to offshore web servers with near-perfect replicas of the Ebay or 
> bank user interface.  Many of these use unsecured html forms to submit 
> the information.
>
> On the same note, a snort-sig to detect social security numbers might 
> also be useful, as they always come in this format: xxx-xx-xxxx (where 
> the first three digits are a prefix representing the state the card 
> was issued in.
>
>
> At 02:52 PM 10/9/2003 -0700, you wrote:
>> Yeah, because Snortin for credit card numbers on a network is a
>> constructive use of your time.
>> (and highly illegal)
>> :)
>>
>> Adam Towarnyckyj
>> Network Operations
>> CommSpeed
>> http://www.commspeed.net/
>> Phone: 928-772-1111 x131
>>
>>
>> -----Original Message-----
>> From: Sean Perry [mailto:sean.perry at ...1958...]
>> Sent: Thursday, October 09, 2003 2:48 PM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Signature for credit card numbers
>>
>> Cove Schneider wrote:
>>
>>> Hello,
>>>
>>> Has anyone attempted to make any signatures to try and catch credit
>> card
>>> numbers? e.g. someone sending a CC number in an email, via FTP, P2P
>>> etc... Sending them insecurely, or even malicious intent... I'm
>>> interested in verifying that this isn't going on, of course.
>>>
>>> Anyone have any thoughts on this?
>>>
>>
>> Well, let's see.
>>
>> A credit card number is 16 digits long (at least here in the US, maybe
>> not elsewhere).  The first number is 3 (amex),4 (visa),5 (master) or 6
>> (discover).
>>
>> So you need something that matches (in perl style regex): 
>> '[3456]\d{15}'
>>
>> or '[3456]\d{3}(?:-\d{4}){3}'.  This covers the dashed notation as 
>> well
>> as the all scrunched style.  If they do '3456 5678 ...' it won't catch
>> them.  The second regex could be replicated for this though.
>>
>> That is a good start.  You could get fancy is you knew the algorithm
>> used to make the card numbers.  Also, American Express may not be 16
>> digits, I forget.  I know the other 3 always are.
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: SF.net Giveback Program.
>> SourceForge.net hosts over 70,000 Open Source Projects.
>> See the people who have HELPED US provide better services:
>> Click here: http://sourceforge.net/supporters.php
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: SF.net Giveback Program.
>> SourceForge.net hosts over 70,000 Open Source Projects.
>> See the people who have HELPED US provide better services:
>> Click here: http://sourceforge.net/supporters.php
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> SourceForge.net hosts over 70,000 Open Source Projects.
> See the people who have HELPED US provide better services:
> Click here: http://sourceforge.net/supporters.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list