[Snort-users] preprocessor sensitive_data (snort

Ryan Jordan ryan.jordan at ...1935...
Fri Jun 4 10:17:19 EDT 2010

If you're getting a lot of false positives, there's a few things you can do.

1) Turn up the threshold on that particular rule. Sensitive Data rule
have the "sd_pattern" option in them. It works like this:


The <count> part specifies how many instances of the pattern you need
to see before an alert gets generated. This counter is used per TCP
stream, not packet.

2) Restrict the ports on which you're running the noisy rule.

3) Disable the rule. "U.S. Social Security Numbers (w/out dashes)" in
particular is very prone to false positives. It was provided
separately from the other SSN rule so that you could turn it off

On Fri, Jun 4, 2010 at 8:39 AM, Joel Esler <jesler at ...1935...> wrote:
> Take a look at the sensitive-data.rules as well as the README for the
> sensitive data preprocessor to see how you can write your own rules, etc, to
> detect what you'd like.
> The rules are great examples, you can build from there.
> On Jun 3, 2010, at 6:06 PM, Lawrence R. Hughes, Sr. wrote:
> Hi,
> When we enable the "preprocessor sensitive_data", we are getting alerts for
> everyday cookies.
> Is there a way to tighten this up or disable the cookies from being
> detected?
> --
> Joel Esler
> 302-223-5974
> Jabber: jesler at ...1935...
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list