[Snort-users] Using snort in an PCI DSS environment

James Lay jlay at ...13475...
Wed Nov 20 09:50:56 EST 2013


On 2013-11-20 07:03, elof at ...6680... wrote:
> Anyone here using a snort sensor in an PCI environment?
>
> I'm wondering about PCI compliance regarding logging of potential 
> card
> numbers...
>
>
> Say I have a snort sensor in a PCI environment.
> Nothing in the sensor is configured to detect and log card numbers on
> purpose. Only normal IDS-rules are enabled.
>
> Do PCI still force me to encrypt the harddrive just because there is 
> a
> possibility that a card number *could* accidentally be logged?
>
>
> What do your QSA say?
>
> Yes, the sensor's HDD is in scope and must be encrypted.
>
> or
>
> No, a few potential card numbers, logged by accident, does not count.
> It's like saying you need to encrypt your mailserver's harddrive just
> because someone can e-mail you card numbers even though you haven't 
> asked
> for them.
>
> /Elof
>

Adding:

preprocessor sensitive_data: mask_output

to your snort.conf will make the logs compliant as this X's out all but 
the last four, and will make your QSA happy.

James





More information about the Snort-users mailing list