[Snort-users] Using snort in an PCI DSS environment

James Lay jlay at ...13475...
Wed Nov 20 11:51:58 EST 2013


On 2013-11-20 09:40, elof at ...6680... wrote:
> Hi James.
>
> As I understand it, the sd_preprocessor only mask packets that are 
> matched
> with the sd_pattern rule option, i.e. rules to detect and alert on
> e.g. card numbers.
> That is the opposite of what I wrote.
>
> Even with maskin enabled, all thousands of rules that do not contain 
> the
> sd_pattern keyword could, in theory, log a packet that accidentally
> contain a card number.
>
> /Elof
>
>
> On Wed, 20 Nov 2013, James Lay wrote:
>
>> On 2013-11-20 07:03, elof at ...6680... wrote:
>>> Anyone here using a snort sensor in an PCI environment?
>>>
>>> I'm wondering about PCI compliance regarding logging of potential
>>> card
>>> numbers...
>>>
>>>
>>> Say I have a snort sensor in a PCI environment.
>>> Nothing in the sensor is configured to detect and log card numbers 
>>> on
>>> purpose. Only normal IDS-rules are enabled.
>>>
>>> Do PCI still force me to encrypt the harddrive just because there 
>>> is
>>> a
>>> possibility that a card number *could* accidentally be logged?
>>>
>>>
>>> What do your QSA say?
>>>
>>> Yes, the sensor's HDD is in scope and must be encrypted.
>>>
>>> or
>>>
>>> No, a few potential card numbers, logged by accident, does not 
>>> count.
>>> It's like saying you need to encrypt your mailserver's harddrive 
>>> just
>>> because someone can e-mail you card numbers even though you haven't
>>> asked
>>> for them.
>>>
>>> /Elof

Elof, are you logging to unified by chance?  Or only syslog/fast file?




More information about the Snort-users mailing list