[Snort-users] Using snort in an PCI DSS environment

James Lay jlay at ...13475...
Fri Nov 22 07:30:51 EST 2013


On Nov 21, 2013, at 2:42 AM, elof at ...6680... wrote:

> On Wed, 20 Nov 2013, James Lay wrote:
> 
>> On 2013-11-20 09:40, elof at ...6680... wrote:
>>> Hi James.
>>> 
>>> As I understand it, the sd_preprocessor only mask packets that are
>>> matched
>>> with the sd_pattern rule option, i.e. rules to detect and alert on
>>> e.g. card numbers.
>>> That is the opposite of what I wrote.
>>> 
>>> Even with maskin enabled, all thousands of rules that do not contain
>>> the
>>> sd_pattern keyword could, in theory, log a packet that accidentally
>>> contain a card number.
>>> 
>>> /Elof
>>> 
>>> 
>>> On Wed, 20 Nov 2013, James Lay wrote:
>>> 
>>>> On 2013-11-20 07:03, elof at ...6680... wrote:
>>>>> Anyone here using a snort sensor in an PCI environment?
>>>>> 
>>>>> I'm wondering about PCI compliance regarding logging of potential
>>>>> card
>>>>> numbers...
>>>>> 
>>>>> 
>>>>> Say I have a snort sensor in a PCI environment.
>>>>> Nothing in the sensor is configured to detect and log card numbers
>>>>> on
>>>>> purpose. Only normal IDS-rules are enabled.
>>>>> 
>>>>> Do PCI still force me to encrypt the harddrive just because there
>>>>> is
>>>>> a
>>>>> possibility that a card number *could* accidentally be logged?
>>>>> 
>>>>> 
>>>>> What do your QSA say?
>>>>> 
>>>>> Yes, the sensor's HDD is in scope and must be encrypted.
>>>>> 
>>>>> or
>>>>> 
>>>>> No, a few potential card numbers, logged by accident, does not
>>>>> count.
>>>>> It's like saying you need to encrypt your mailserver's harddrive
>>>>> just
>>>>> because someone can e-mail you card numbers even though you haven't
>>>>> asked
>>>>> for them.
>>>>> 
>>>>> /Elof
>> 
>> Elof, are you logging to unified by chance?  Or only syslog/fast file?
> 
> I'm logging to unified2, alert-fast, pcap and to database. :-)
> 
> /Elof
> 

Ah..yea that’s a lot ;)

James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131122/e9b6e255/attachment.sig>


More information about the Snort-users mailing list