[Snort-users] Sensitive Data Preprocessor: logging single matches
vroemer at ...1935...
Fri Feb 25 20:59:54 EST 2011
I think I can clear this up for you.
preprocessor sensitive_data: alert_threshold 25
This configuration dictates that after 25 occurrences of ANY combination of
sdf rules are hit in a given session will cause SDF_COMBO_ALERT (139:1) to
Now, regardless of whatever alert_threshold is set to in the preprocessor,
your gid:138 rules would still alert based on they're settings.
-- snipped from snort manual --
sd_pattern <count>, <pattern>;
This dictates how many times a PII pattern must be matched for an alert to
be generated. The count is
tracked across all packets in a session.
-- /snip --
Now, for the specific PII rule your interested in (Credit Cards) the default
value of count is set to 2 meaning after 2 occurrences of the rule being hit
(in a given session) you'll receive an alert.
So if you wanted to alert after only seeing 1 credit card number you would
change this count to 1.
Hope this clears things up!
On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson at ...15166...> wrote:
> I have enabled the SDP and have it successfully logging matches for
> Credit Card numbers and SSNs being sent in the clear through a mail
> server. However, according to the following README:
> The preprocessor's alert threshold must be 'higher than the highest
> individual count in your "sd_pattern" rules'. With sd_pattern allowing a
> minimum count of 1, this means that the alert_threshold should be set to
> a minimum of 2. In fact, when I set it to 1, it still didn't log an
> alert until I put 2 valid credit card numbers into the email. This makes
> catching emails with single credit card numbers impossible. Is there a
> reason for this restriction, or a way around it?
> I apologize if this has been answered before, I searched but was unable
> to find any explanation.
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> generated by your applications, servers and devices whether physical,
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users