[Snort-users] preprocessor sensitive_data (snort

Jason Wallace jason.r.wallace at ...11827...
Fri Jun 4 09:58:35 EDT 2010

We have the same issue. I know this preprocessor is new, and while it
has huge potential, there are some challenges with it.

1. Long strings of numbers trigger false positives.

I saw this in some web traffic trigger the "SENSITIVE-DATA U.S. Social
Security Numbers w/out dashes" rule...

--10  05/25/2010  STBT    93       93      1      0       3780089812
[2 non-ASCII characters]
----  05/25/2010  RTL     68       0       1      0       3780089812
[2 non-ASCII characters]
--11  05/24/2010  STBT    122      122     73     0       3780089689
[2 non-ASCII characters]
----  05/24/2010  RTL     81       81      73     0       3780089689
[2 non-ASCII characters]
--13  05/22/2010  STBT    123      123     92     1       3780089566

In those strings there might be consecutive 9 digits that could be a
SSN but the strings them selves are too long making it unlikely they
are actually SSNs. An option to say it has to be exactly 9 digits to
be considered a SSN would help with this.

2. You can only have 1 rule with each default pattern type.

alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110]
(msg:"SENSITIVE-DATA U.S. Social Security Numbers with dashes";
metadata:service http, service smtp, service ftp-data, service imap,
service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138;

You can NOT split that like so...

U.S. Social Security Numbers with dashes HTTP"; metadata:service http;
sd_pattern:2,us_social; classtype:sdf; sid:10; gid:138; rev:1;)

U.S. Social Security Numbers with dashes SMTP"; metadata:service smtp;
sd_pattern:2,us_social; classtype:sdf; sid:11; gid:138; rev:1;)

If you try you get this error...

ERROR: Sensitive Data rule 138:11 uses a pattern that duplicates rule 138:10.
Fatal Error, Quitting..

Being able to split them would provide more targeted detection.

3. From the README.sensitive_data.bz2

    sd_pattern is not compatible with other rule options. Trying to use
    other rule options with sd_pattern will result in an error message.

This makes it difficult to write rules that will not pick up on things
like cookie strings.


On Fri, Jun 4, 2010 at 8:39 AM, Joel Esler <jesler at ...1935...> wrote:
> Take a look at the sensitive-data.rules as well as the README for the
> sensitive data preprocessor to see how you can write your own rules, etc, to
> detect what you'd like.
> The rules are great examples, you can build from there.
> On Jun 3, 2010, at 6:06 PM, Lawrence R. Hughes, Sr. wrote:
> Hi,
> When we enable the "preprocessor sensitive_data", we are getting alerts for
> everyday cookies.
> Is there a way to tighten this up or disable the cookies from being
> detected?
> --
> Joel Esler
> 302-223-5974
> Jabber: jesler at ...1935...
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list