Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort v2.5.0 sensitive data question

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 5 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      _igor_
      last edited by

      I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

      So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        @_igor_:

        I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

        So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!

        Great rule if you want to lock down your network or country….

        with it on, this is what I suppress:

        
        # Sensitive Data disable
        #
        # Credit Card Numbers
        #suppress gen_id 138, sig_id 2
        # U.S. Social Security Numbers (with dashes)
        #suppress gen_id 138, sig_id 3
        # U.S. Social Security Numbers (w/out dashes)
        #suppress gen_id 138, sig_id 4
        # Email Addresses
        suppress gen_id 138, sig_id 5
        # U.S. Phone Numbers
        suppress gen_id 138, sig_id 6
        
        
        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          There are some default rules that come with it
          Probably just copy them on to the custom rules and tweak!?

          1 Reply Last reply Reply Quote 0
          • M
            miles267
            last edited by

            Once sensitive data is enabled on the WAN interface preprocessors tab, where do you input/copy the custom rules?

            1 Reply Last reply Reply Quote 0
            • J
              judex
              last edited by

              Good question, since the costum_rules folder is gone… ???

              Don't know if that is supposed to work:

              
              exec("/bin/cp {$snortdir}/rules/* {$if_rule_dir}/rules");
                              if (file_exists("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules"))
                                      @copy("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules", "{$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules");
              
              

              2.1-RELEASE (amd64)
              built on Wed Sep 11 18:17:48 EDT 2013
              FreeBSD 8.3-RELEASE-p11

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                If you go to the Rules tab on the drop down you will have a custom.rules entry.
                You can put those there.

                1 Reply Last reply Reply Quote 0
                • J
                  judex
                  last edited by

                  Ahhh, I see. Thx for that. Iwas copying my rules on the shell before. That makes things much easier.

                  Greets, Judex

                  2.1-RELEASE (amd64)
                  built on Wed Sep 11 18:17:48 EDT 2013
                  FreeBSD 8.3-RELEASE-p11

                  1 Reply Last reply Reply Quote 0
                  • _
                    _igor_
                    last edited by

                    Could you please point me to that "default rules"? Where can i find them? There are no sensitive data rules…

                    1 Reply Last reply Reply Quote 0
                    • J
                      judex
                      last edited by

                       cat /usr/local/etc/snort/preproc_rules/sensitive-data.rules
                      alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
                      alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
                      #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;)
                      alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)
                      alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)
                      

                      2.1-RELEASE (amd64)
                      built on Wed Sep 11 18:17:48 EDT 2013
                      FreeBSD 8.3-RELEASE-p11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.