[Snort-users] Dectecting Social Security Numbers?

Adam Levy grand.admiral at ...11827...
Fri Sep 10 11:44:03 EDT 2004


Without digging in to the structure of the rule, a simple worry that I
had is this:
>alert tcp any any -> any any (msg:"Socail Security Number Clear
Text"; pcre:"m!(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)

Please note that "Socail" is a potential problem.

Other technical answers forthcoming for sure...

Adam

----- Original Message -----
From: Lyons, Jon <jon_lyons at ...11066...>
Date: Fri, 10 Sep 2004 13:01:44 -0500
Subject: [Snort-users] Dectecting Social Security Numbers?
To: snort-users at lists.sourceforge.net

 
 

  

I'm trying to get snort to generate an alert for SS#'s, I've tried the
rule below but no alerts are generated. I tested this with pcretest
and it works…am I missing something?

alert tcp any any -> any any (msg:"Socail Security Number Clear Text";
pcre:"m!(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)




More information about the Snort-users mailing list