[Snort-users] preprocessor sensitive_data (snort

Ryan Jordan ryan.jordan at ...1935...
Fri Jun 4 10:54:25 EDT 2010

While I'm at it, here's a little insight as to why the SSN rules are so noisy.

SSNs are broken up into three sections: AAA-GG-SSSS, where

AAA is the three-digit Area Number
GG is the two-digit Group Number
SSSS is the four-digit Serial Number

Now, there is a list of all valid three-digit Areas, and the highest
Group assigned to them. You can see such lists here:

Here's the problem:
- Most 3-digit Area numbers are valid. They go 001 through 772. (The
area 666 is invalid, since it's the Number of the Beast.)
- For a good portion of these Areas, most (or all) of the Groups are valid.
- All 4-digit Serial numbers are valid, except for 0000.
- There are no check digits

So, we do take advantage of the "high group" list to throw out invalid
numbers. However, the nature of the problem is that you can generate a
random 9-digit number, and it has a *really good* chance at being a
valid SSN. Thus, the rule for SSNs without Dashes is really noisy.

I hope this has been helpful for some people. Now, back to your
regularly-scheduled questions about the database output plugin.


More information about the Snort-users mailing list