[Snort-users] Sensitive Data Preprocessor: logging single matches
ejohnson at ...15166...
Fri Feb 25 19:58:35 EST 2011
I have enabled the SDP and have it successfully logging matches for
Credit Card numbers and SSNs being sent in the clear through a mail
server. However, according to the following README:
The preprocessor's alert threshold must be 'higher than the highest
individual count in your "sd_pattern" rules'. With sd_pattern allowing a
minimum count of 1, this means that the alert_threshold should be set to
a minimum of 2. In fact, when I set it to 1, it still didn't log an
alert until I put 2 valid credit card numbers into the email. This makes
catching emails with single credit card numbers impossible. Is there a
reason for this restriction, or a way around it?
I apologize if this has been answered before, I searched but was unable
to find any explanation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Snort-users