[Snort-users] preprocessor sensitive_data (snort 2.8.6.0)

Ryan Jordan ryan.jordan at ...1935...
Fri Jun 4 11:52:10 EDT 2010


Ah, that explains it.

The preprocessor marks which sections of the packet need to be X'd
out, but it's the job of the output plugin to actually log the
obfuscated version of the packet. The MySQL output plugin did not get
updated.

In general, the MySQL output plugin is not heavily supported. Using it
is detrimental to performance, anyway. Snort can't process the next
packet while it waits for the MySQL plugin to finish its database
insert. When you get the chance, I would suggest you switch to
Unified2 (which does obfuscation), and use Barnyard2
(http://www.securixlive.com/barnyard2/index.php) to handle your
database inserts.

-Ryan

P.S. That counts as your regularly-scheduled database output plugin question.

On Fri, Jun 4, 2010 at 11:36 AM, Ron Jenkins <rjenkins at ...14345...> wrote:
> Database to MySQL
>
>
> Below is the Preprocessor config too.
>
> # SDF sensitive data preprocessor.  For more information see README.sensitive_data
> preprocessor sensitive_data: alert_threshold 25 \
>                                 mask_output
>
>
>
> Thx
>
>
> -----Original Message-----
> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
> Sent: Friday, June 04, 2010 10:32 AM
> To: Ron Jenkins
> Cc: Jason Wallace; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0)
>
> Ron,
>
> Which output plugin are you using? If you are getting some
> obfuscation, but in the wrong spot, this is also a known bug that will
> be fixed.
>
> -Ryan
>
> On Fri, Jun 4, 2010 at 11:22 AM, Ron Jenkins <rjenkins at ...14345...> wrote:
>> Good morning;
>>
>>
>>
>> Also the mask out option does not appear to work either.
>>
>>
>>
>>
>>
>> Thx
>>
>>
>>
>>
>>
>>
>>
>> Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA)
>>
>> RMJ Consulting, LLC.
>>
>> "Bringing Companies and Solutions Together"
>>
>> Owner / Senior Architect
>>
>> Physical Address
>>
>> 11715 Bricksome Ave STE B-7
>>
>> Baton Rouge, LA 70816
>>
>> Mail Address
>>
>> 7575 Jefferson Hwy #103
>>
>> Baton Rouge, LA 70806
>>
>> Office. 225-448-5214
>>
>> Fax. 225-448-5324
>>
>> Cell. 225-931-1632
>>
>> Email. rjenkins at ...13980...
>>
>> Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/>
>>
>> http://www.linkedin.com/in/ronmjenkins
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
>> Sent: Friday, June 04, 2010 9:40 AM
>> To: Jason Wallace
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] preprocessor sensitive_data (snort 2.8.6.0)
>>
>>
>>
>> Jason,
>>
>>
>>
>> Your concerns are all definitely valid.
>>
>>
>>
>> On Fri, Jun 4, 2010 at 9:58 AM, Jason Wallace <jason.r.wallace at ...14459.....>
>> wrote:
>>
>>> We have the same issue. I know this preprocessor is new, and while it
>>
>>> has huge potential, there are some challenges with it.
>>
>>>
>>
>>> 1. Long strings of numbers trigger false positives.
>>
>>
>>
>> This was a bug in the Release Candidate. As of Snort 2.8.6 final, both
>>
>> the "us_social" and "us_social_nodashes" patterns require a non-digit
>>
>> on both sides of the number. Have you seen this problem since
>>
>> upgrading to the release version?
>>
>>
>>
>>> 2. You can only have 1 rule with each default pattern type.
>>
>>
>>
>> I have a bug sitting in my Bugzilla queue right now to go back and fix
>>
>> this. Expect a change in the next major Snort release.
>>
>>
>>
>>> 3. From the README.sensitive_data.bz2
>>
>>>
>>
>>> Caveats:
>>
>>>    sd_pattern is not compatible with other rule options. Trying to use
>>
>>>    other rule options with sd_pattern will result in an error message.
>>
>>
>>
>> This one is not expected to change in the next release. I'll try to
>>
>> explain briefly.
>>
>>
>>
>> Normally, when a rule is parsed, it gets broken into sections and
>>
>> thrown into a "tree" with the other rules. Then, after all the
>>
>> preprocessors are done running on a packet, Snort goes through this
>>
>> tree and starts matching rules against the packet.
>>
>>
>>
>> When a sensitive data rule gets parsed, it does not go in the tree
>>
>> with the other rules. Instead, the Sensitive Data preprocessor becomes
>>
>> responsible for matching patterns and firing alerts. This gets done
>>
>> before the rest of the rules are even evaluated.
>>
>>
>>
>> I have an idea or two for organizing things differently so that this
>>
>> isn't a problem, but it's not a quick fix, and thus not very high on
>>
>> my list of priorities right now. I will try to get to it as time
>>
>> allows.
>>
>>
>>
>> -Ryan
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>
>> lucky parental unit.  See the prize list and enter to win:
>>
>> http://p.sf.net/sfu/thinkgeek-promo
>>
>> _______________________________________________
>>
>> Snort-users mailing list
>>
>> Snort-users at lists.sourceforge.net
>>
>> Go to this URL to change user options or unsubscribe:
>>
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>
>> Snort-users list archive:
>>
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list