[Snort-users] preprocessor sensitive_data (snort 2.8.6.0)

Ryan Jordan ryan.jordan at ...1935...
Fri Jun 4 10:39:55 EDT 2010


Jason,

Your concerns are all definitely valid.

On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace at ...11827...> wrote:
> We have the same issue. I know this preprocessor is new, and while it
> has huge potential, there are some challenges with it.
>
> 1. Long strings of numbers trigger false positives.

This was a bug in the Release Candidate. As of Snort 2.8.6 final, both
the "us_social" and "us_social_nodashes" patterns require a non-digit
on both sides of the number. Have you seen this problem since
upgrading to the release version?

> 2. You can only have 1 rule with each default pattern type.

I have a bug sitting in my Bugzilla queue right now to go back and fix
this. Expect a change in the next major Snort release.

> 3. From the README.sensitive_data.bz2
>
> Caveats:
>    sd_pattern is not compatible with other rule options. Trying to use
>    other rule options with sd_pattern will result in an error message.

This one is not expected to change in the next release. I'll try to
explain briefly.

Normally, when a rule is parsed, it gets broken into sections and
thrown into a "tree" with the other rules. Then, after all the
preprocessors are done running on a packet, Snort goes through this
tree and starts matching rules against the packet.

When a sensitive data rule gets parsed, it does not go in the tree
with the other rules. Instead, the Sensitive Data preprocessor becomes
responsible for matching patterns and firing alerts. This gets done
before the rest of the rules are even evaluated.

I have an idea or two for organizing things differently so that this
isn't a problem, but it's not a quick fix, and thus not very high on
my list of priorities right now. I will try to get to it as time
allows.

-Ryan




More information about the Snort-users mailing list