[Snort-users] sensitive data pre-processor

waldo kitty wkitty42 at ...14940...
Wed Sep 29 12:49:31 EDT 2010


is anyone else getting FPs with the sensitive data pre-processor?

every single firing i've seen of the sensitive data rules has been a false 
positive and always apparently related to the serialization numbers used in web 
forms on forums and social networking sites...

currently i have the SDF email addresses and social security numbers (w/out 
dashes) disabled... i've had numerous firings on the social security numbers (w/ 
dashes) rule, too, but have not yet disabled it...

it is especially telling when the SSN rules fire on sites that have no SSN data 
on them or those that do but it has never been given...

can the SDF decode encoded strings and may it possibly be detecting sensitive 
data in there??





More information about the Snort-users mailing list