[Snort-users] Using snort in an PCI DSS environment

elof at ...6680... elof at ...6680...
Thu Nov 21 04:42:08 EST 2013


On Wed, 20 Nov 2013, James Lay wrote:

> On 2013-11-20 09:40, elof at ...6680... wrote:
>> Hi James.
>>
>> As I understand it, the sd_preprocessor only mask packets that are
>> matched
>> with the sd_pattern rule option, i.e. rules to detect and alert on
>> e.g. card numbers.
>> That is the opposite of what I wrote.
>>
>> Even with maskin enabled, all thousands of rules that do not contain
>> the
>> sd_pattern keyword could, in theory, log a packet that accidentally
>> contain a card number.
>>
>> /Elof
>>
>>
>> On Wed, 20 Nov 2013, James Lay wrote:
>>
>>> On 2013-11-20 07:03, elof at ...6680... wrote:
>>>> Anyone here using a snort sensor in an PCI environment?
>>>>
>>>> I'm wondering about PCI compliance regarding logging of potential
>>>> card
>>>> numbers...
>>>>
>>>>
>>>> Say I have a snort sensor in a PCI environment.
>>>> Nothing in the sensor is configured to detect and log card numbers
>>>> on
>>>> purpose. Only normal IDS-rules are enabled.
>>>>
>>>> Do PCI still force me to encrypt the harddrive just because there
>>>> is
>>>> a
>>>> possibility that a card number *could* accidentally be logged?
>>>>
>>>>
>>>> What do your QSA say?
>>>>
>>>> Yes, the sensor's HDD is in scope and must be encrypted.
>>>>
>>>> or
>>>>
>>>> No, a few potential card numbers, logged by accident, does not
>>>> count.
>>>> It's like saying you need to encrypt your mailserver's harddrive
>>>> just
>>>> because someone can e-mail you card numbers even though you haven't
>>>> asked
>>>> for them.
>>>>
>>>> /Elof
>
> Elof, are you logging to unified by chance?  Or only syslog/fast file?

I'm logging to unified2, alert-fast, pcap and to database. :-)

/Elof




More information about the Snort-users mailing list