[Snort-users] Detecting Social Security Numbers?

Truax, Shawn (MBS) Shawn.Truax at ...8509...
Sat Sep 11 19:36:05 EDT 2004


If I have everything right the following should work better and catch the
0's as well.

/\d{3}-\d{2}-\d{4}/

As well its better to use $HOME_NET any -> $EXTERNAL_NET any rather then any
any -> any any.  Helps speed up the rules.

If you need to do a lot (or a little) regex work check out this little
program I found its really helpful and allows you to test more thoroughly
your expressions.

Regex Coach
http://www.weitz.de/regex-coach/

Shawn Truax
Sr. Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


-----Original Message-----
From: Brian [mailto:bmc at ...950...]
Sent: September 10, 2004 5:04 PM
To: Harper, Patrick
Cc: Lyons, Jon; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Dectecting Social Security Numbers?


On Fri, Sep 10, 2004 at 03:10:14PM -0500, Harper, Patrick wrote:
> /[1-9]{3,3}[-][1-9]{2,2}[-][1-9]{4,4}/

Lots of wasted foo.

    /[1-9]{3}-[1-9]{2}-[1-9]{4}/

-b


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040911/1493a094/attachment.html>


More information about the Snort-users mailing list