Next: Rule Options
Up: Sensitive Data Preprocessor
Previous: Dependencies
Contents
Sensitive Data configuration is split into two parts: the preprocessor config,
and the rule options. The preprocessor config starts with:
preprocessor sensitive_data:
Option syntax
| Option |
Argument |
Required |
Default |
| alert_threshold |
<number> |
NO |
alert_threshold 25 |
| mask_output |
NONE |
NO |
OFF |
| ssn_file |
<filename> |
NO |
OFF |
alert_threshold = 1 - 65535
Option explanations
- alert_threshold
- The preprocessor will alert when any combination of PII are detected
in a session. This option specifies how many need to be detected before
alerting.
This should be set higher than the highest individual count in your
"sd_pattern" rules.
- mask_output
- This option replaces all but the last 4 digits of a detected PII with
"X"s. This is only done on credit card & Social Security numbers, where
an organization's regulations may prevent them from seeing unencrypted
numbers.
- ssn_file
- A Social Security number is broken up into 3 sections:
Area (3 digits), Group (2 digits), and Serial (4 digits).
On a monthly basis, the Social Security Administration publishes a list
of which Group numbers are in use for each Area.
These numbers can be updated in Snort by supplying a CSV file with the
new maximum Group numbers to use.
By default, Snort recognizes Social Security numbers issued up through
November 2009.
Example preprocessor config
preprocessor sensitive_data: alert_threshold 25 \
mask_output \
ssn_file ssn_groups_Jan10.csv
Next: Rule Options
Up: Sensitive Data Preprocessor
Previous: Dependencies
Contents
Eugene Misnik
2013-05-08