[Snort-users] preprocessor sensitive_data (snort 2.8.6.0)

Ryan Jordan ryan.jordan at ...1935...
Fri Jun 4 11:32:23 EDT 2010


Ron,

Which output plugin are you using? If you are getting some
obfuscation, but in the wrong spot, this is also a known bug that will
be fixed.

-Ryan

On Fri, Jun 4, 2010 at 11:22 AM, Ron Jenkins <rjenkins at ...14345...> wrote:
> Good morning;
>
>
>
> Also the mask out option does not appear to work either.
>
>
>
>
>
> Thx
>
>
>
>
>
>
>
> Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA)
>
> RMJ Consulting, LLC.
>
> "Bringing Companies and Solutions Together"
>
> Owner / Senior Architect
>
> Physical Address
>
> 11715 Bricksome Ave STE B-7
>
> Baton Rouge, LA 70816
>
> Mail Address
>
> 7575 Jefferson Hwy #103
>
> Baton Rouge, LA 70806
>
> Office. 225-448-5214
>
> Fax. 225-448-5324
>
> Cell. 225-931-1632
>
> Email. rjenkins at ...13980...
>
> Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/>
>
> http://www.linkedin.com/in/ronmjenkins
>
>
>
>
>
> -----Original Message-----
> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
> Sent: Friday, June 04, 2010 9:40 AM
> To: Jason Wallace
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0)
>
>
>
> Jason,
>
>
>
> Your concerns are all definitely valid.
>
>
>
> On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace at ...14542....>
> wrote:
>
>> We have the same issue. I know this preprocessor is new, and while it
>
>> has huge potential, there are some challenges with it.
>
>>
>
>> 1. Long strings of numbers trigger false positives.
>
>
>
> This was a bug in the Release Candidate. As of Snort 2.8.6 final, both
>
> the "us_social" and "us_social_nodashes" patterns require a non-digit
>
> on both sides of the number. Have you seen this problem since
>
> upgrading to the release version?
>
>
>
>> 2. You can only have 1 rule with each default pattern type.
>
>
>
> I have a bug sitting in my Bugzilla queue right now to go back and fix
>
> this. Expect a change in the next major Snort release.
>
>
>
>> 3. From the README.sensitive_data.bz2
>
>>
>
>> Caveats:
>
>>    sd_pattern is not compatible with other rule options. Trying to use
>
>>    other rule options with sd_pattern will result in an error message.
>
>
>
> This one is not expected to change in the next release. I'll try to
>
> explain briefly.
>
>
>
> Normally, when a rule is parsed, it gets broken into sections and
>
> thrown into a "tree" with the other rules. Then, after all the
>
> preprocessors are done running on a packet, Snort goes through this
>
> tree and starts matching rules against the packet.
>
>
>
> When a sensitive data rule gets parsed, it does not go in the tree
>
> with the other rules. Instead, the Sensitive Data preprocessor becomes
>
> responsible for matching patterns and firing alerts. This gets done
>
> before the rest of the rules are even evaluated.
>
>
>
> I have an idea or two for organizing things differently so that this
>
> isn't a problem, but it's not a quick fix, and thus not very high on
>
> my list of priorities right now. I will try to get to it as time
>
> allows.
>
>
>
> -Ryan
>
>
>
> ------------------------------------------------------------------------------
>
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>
> lucky parental unit.  See the prize list and enter to win:
>
> http://p.sf.net/sfu/thinkgeek-promo
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list