[Snort-users] sensitive data pre-processor
wkitty42 at ...14940...
Wed Sep 29 12:49:31 EDT 2010
is anyone else getting FPs with the sensitive data pre-processor?
every single firing i've seen of the sensitive data rules has been a false
positive and always apparently related to the serialization numbers used in web
forms on forums and social networking sites...
currently i have the SDF email addresses and social security numbers (w/out
dashes) disabled... i've had numerous firings on the social security numbers (w/
dashes) rule, too, but have not yet disabled it...
it is especially telling when the SSN rules fire on sites that have no SSN data
on them or those that do but it has never been given...
can the SDF decode encoded strings and may it possibly be detecting sensitive
data in there??
More information about the Snort-users