[Snort-users] Using snort in an PCI DSS environment
elof at ...6680...
elof at ...6680...
Wed Nov 20 11:40:09 EST 2013
As I understand it, the sd_preprocessor only mask packets that are matched
with the sd_pattern rule option, i.e. rules to detect and alert on
e.g. card numbers.
That is the opposite of what I wrote.
Even with maskin enabled, all thousands of rules that do not contain the
sd_pattern keyword could, in theory, log a packet that accidentally
contain a card number.
On Wed, 20 Nov 2013, James Lay wrote:
> On 2013-11-20 07:03, elof at ...6680... wrote:
>> Anyone here using a snort sensor in an PCI environment?
>> I'm wondering about PCI compliance regarding logging of potential
>> Say I have a snort sensor in a PCI environment.
>> Nothing in the sensor is configured to detect and log card numbers on
>> purpose. Only normal IDS-rules are enabled.
>> Do PCI still force me to encrypt the harddrive just because there is
>> possibility that a card number *could* accidentally be logged?
>> What do your QSA say?
>> Yes, the sensor's HDD is in scope and must be encrypted.
>> No, a few potential card numbers, logged by accident, does not count.
>> It's like saying you need to encrypt your mailserver's harddrive just
>> because someone can e-mail you card numbers even though you haven't
>> for them.
> preprocessor sensitive_data: mask_output
> to your snort.conf will make the logs compliant as this X's out all but
> the last four, and will make your QSA happy.
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users