[Snort-users] Dectecting Social Security Numbers?

Matt Kettler mkettler at ...4108...
Fri Sep 10 12:52:00 EDT 2004


At 02:01 PM 9/10/2004, Lyons, Jon wrote:
>I’m trying to get snort to generate an alert for SS#’s, I’ve tried the 
>rule below but no alerts are generated. I tested this with pcretest and it 
>works
am I missing something?
>alert tcp any any -> any any (msg:"Socail Security Number Clear Text"; 
>pcre:"m!(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)

I can't possibly imagine why that rule works with pcretest, but if you say 
so... It's clearly not any valid regex syntax that I've ever seen before, 
and it looks nothing like the regex syntax of any of the default rules in 
the snort ruleset.

What's the m! out front supposed to be doing, and why isn't that PCRE 
properly bounded with /'es? (all regexes should be bounded with a / at the 
start and a / at the end, with modifiers following the trailing /)

try something more like this to start with, then add PCRE syntax as needed:

pcre:"/\d\d\d[-/]\d\d[-/]\d\d\d\d\b/"

Note: I substituted \b for your \Z. I don't think EOL is really a good 
termination condition to use when doing general text string searches.. what 
if it's in record-per-line format where the name comes after the SSN?





More information about the Snort-users mailing list