Snort v2.5.0 sensitive data question

_igor_

I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!

Cino

@_igor_:

I tried with "sensitive data" enabled, but had to see that nearly all websites get blocked with "sensitiva data email address…".

So i had to disable it again to get back internet. Maybe i miss something related to that setting? Anyone can clear me that thing a little up? thx!

Great rule if you want to lock down your network or country….

with it on, this is what I suppress:

# Sensitive Data disable
#
# Credit Card Numbers
#suppress gen_id 138, sig_id 2
# U.S. Social Security Numbers (with dashes)
#suppress gen_id 138, sig_id 3
# U.S. Social Security Numbers (w/out dashes)
#suppress gen_id 138, sig_id 4
# Email Addresses
suppress gen_id 138, sig_id 5
# U.S. Phone Numbers
suppress gen_id 138, sig_id 6

eri--

There are some default rules that come with it
Probably just copy them on to the custom rules and tweak!?

miles267

Once sensitive data is enabled on the WAN interface preprocessors tab, where do you input/copy the custom rules?

judex

Good question, since the costum_rules folder is gone… ???

Don't know if that is supposed to work:

exec("/bin/cp {$snortdir}/rules/* {$if_rule_dir}/rules");
                if (file_exists("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules"))
                        @copy("{$snortdir}/custom_rules/local_{$snort_uuid}_{$if_real}.rules", "{$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules");

eri--

If you go to the Rules tab on the drop down you will have a custom.rules entry.
You can put those there.

judex

Ahhh, I see. Thx for that. Iwas copying my rules on the shell before. That makes things much easier.

Greets, Judex

_igor_

Could you please point me to that "default rules"? Where can i find them? There are no sensitive data rules…

judex

 cat /usr/local/etc/snort/preproc_rules/sensitive-data.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)