[Snort-users] Using snort in an PCI DSS environment
jlay at ...13475...
Wed Nov 20 11:51:58 EST 2013
On 2013-11-20 09:40, elof at ...6680... wrote:
> Hi James.
> As I understand it, the sd_preprocessor only mask packets that are
> with the sd_pattern rule option, i.e. rules to detect and alert on
> e.g. card numbers.
> That is the opposite of what I wrote.
> Even with maskin enabled, all thousands of rules that do not contain
> sd_pattern keyword could, in theory, log a packet that accidentally
> contain a card number.
> On Wed, 20 Nov 2013, James Lay wrote:
>> On 2013-11-20 07:03, elof at ...6680... wrote:
>>> Anyone here using a snort sensor in an PCI environment?
>>> I'm wondering about PCI compliance regarding logging of potential
>>> Say I have a snort sensor in a PCI environment.
>>> Nothing in the sensor is configured to detect and log card numbers
>>> purpose. Only normal IDS-rules are enabled.
>>> Do PCI still force me to encrypt the harddrive just because there
>>> possibility that a card number *could* accidentally be logged?
>>> What do your QSA say?
>>> Yes, the sensor's HDD is in scope and must be encrypted.
>>> No, a few potential card numbers, logged by accident, does not
>>> It's like saying you need to encrypt your mailserver's harddrive
>>> because someone can e-mail you card numbers even though you haven't
>>> for them.
Elof, are you logging to unified by chance? Or only syslog/fast file?
More information about the Snort-users