[Snort-users] Sensitive Data Preprocessor: logging single matches

Victor Roemer vroemer at ...1935...
Fri Feb 25 20:59:54 EST 2011

I think I can clear this up for you.

preprocessor sensitive_data: alert_threshold 25

This configuration dictates that after 25 occurrences of ANY combination of
sdf rules are hit in a given session will cause  SDF_COMBO_ALERT (139:1) to
be triggered.

Now, regardless of whatever alert_threshold is set to in the preprocessor,
your gid:138 rules would still alert based on they're settings.

-- snipped from snort manual --

sd_pattern <count>, <pattern>;


This dictates how many times a PII pattern must be matched for an alert to
be generated. The count is
tracked across all packets in a session.


-- /snip --

Now, for the specific PII rule your interested in (Credit Cards) the default
value of count is set to 2 meaning after 2 occurrences of the rule being hit
(in a given session) you'll receive an alert.

So if you wanted to alert after only seeing 1 credit card number you would
change this count to 1.

Hope this clears things up!

On Fri, Feb 25, 2011 at 7:58 PM, Erik Johnson <ejohnson at ...15166...> wrote:

> I have enabled the SDP and have it successfully logging matches for
> Credit Card numbers and SSNs being sent in the clear through a mail
> server. However, according to the following README:
> http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD
> The preprocessor's alert threshold must be 'higher than the highest
> individual count in your "sd_pattern" rules'. With sd_pattern allowing a
> minimum count of 1, this means that the alert_threshold should be set to
> a minimum of 2. In fact, when I set it to 1, it still didn't log an
> alert until I put 2 valid credit card numbers into the email. This makes
> catching emails with single credit card numbers impossible. Is there a
> reason for this restriction, or a way around it?
> I apologize if this has been answered before, I searched but was unable
> to find any explanation.
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110225/df42117a/attachment.html>

More information about the Snort-users mailing list