[Snort-users] Using snort in an PCI DSS environment

elof at ...6680... elof at ...6680...
Wed Nov 20 11:40:09 EST 2013

Hi James.

As I understand it, the sd_preprocessor only mask packets that are matched 
with the sd_pattern rule option, i.e. rules to detect and alert on 
e.g. card numbers.
That is the opposite of what I wrote.

Even with maskin enabled, all thousands of rules that do not contain the 
sd_pattern keyword could, in theory, log a packet that accidentally 
contain a card number.


On Wed, 20 Nov 2013, James Lay wrote:

> On 2013-11-20 07:03, elof at ...6680... wrote:
>> Anyone here using a snort sensor in an PCI environment?
>> I'm wondering about PCI compliance regarding logging of potential
>> card
>> numbers...
>> Say I have a snort sensor in a PCI environment.
>> Nothing in the sensor is configured to detect and log card numbers on
>> purpose. Only normal IDS-rules are enabled.
>> Do PCI still force me to encrypt the harddrive just because there is
>> a
>> possibility that a card number *could* accidentally be logged?
>> What do your QSA say?
>> Yes, the sensor's HDD is in scope and must be encrypted.
>> or
>> No, a few potential card numbers, logged by accident, does not count.
>> It's like saying you need to encrypt your mailserver's harddrive just
>> because someone can e-mail you card numbers even though you haven't
>> asked
>> for them.
>> /Elof
> Adding:
> preprocessor sensitive_data: mask_output
> to your snort.conf will make the logs compliant as this X's out all but
> the last four, and will make your QSA happy.
> James
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list