Snort v2.5.0 sensitive data question



  • I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

    So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!



  • @_igor_:

    I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

    So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!

    Great rule if you want to lock down your network or country….

    with it on, this is what I suppress:

    
    # Sensitive Data disable
    #
    # Credit Card Numbers
    #suppress gen_id 138, sig_id 2
    # U.S. Social Security Numbers (with dashes)
    #suppress gen_id 138, sig_id 3
    # U.S. Social Security Numbers (w/out dashes)
    #suppress gen_id 138, sig_id 4
    # Email Addresses
    suppress gen_id 138, sig_id 5
    # U.S. Phone Numbers
    suppress gen_id 138, sig_id 6
    
    


  • There are some default rules that come with it
    Probably just copy them on to the custom rules and tweak!?



  • Once sensitive data is enabled on the WAN interface preprocessors tab, where do you input/copy the custom rules?



  • Good question, since the costum_rules folder is gone… ???

    Don't know if that is supposed to work:

    
    exec("/bin/cp {$snortdir}/rules/* {$if_rule_dir}/rules");
                    if (file_exists("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules"))
                            @copy("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules", "{$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules");
    
    


  • If you go to the Rules tab on the drop down you will have a custom.rules entry.
    You can put those there.



  • Ahhh, I see. Thx for that. Iwas copying my rules on the shell before. That makes things much easier.

    Greets, Judex



  • Could you please point me to that "default rules"? Where can i find them? There are no sensitive data rules…



  •  cat /usr/local/etc/snort/preproc_rules/sensitive-data.rules
    alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
    #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)
    

Log in to reply