[Snort-users] Sensitive Data Preprocessor: logging single matches

Erik Johnson ejohnson at ...15166...
Fri Feb 25 19:58:35 EST 2011


I have enabled the SDP and have it successfully logging matches for
Credit Card numbers and SSNs being sent in the clear through a mail
server. However, according to the following README:

http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD

The preprocessor's alert threshold must be 'higher than the highest
individual count in your "sd_pattern" rules'. With sd_pattern allowing a
minimum count of 1, this means that the alert_threshold should be set to
a minimum of 2. In fact, when I set it to 1, it still didn't log an
alert until I put 2 valid credit card numbers into the email. This makes
catching emails with single credit card numbers impossible. Is there a
reason for this restriction, or a way around it?

I apologize if this has been answered before, I searched but was unable
to find any explanation.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110225/09576d4f/attachment.sig>


More information about the Snort-users mailing list