Rule Options

Snort rules are used to specify which PII the preprocessor should look for. A new rule option is provided by the preprocessor:

sd_pattern

This rule option specifies what type of PII a rule should detect.

Syntax

    sd_pattern:<count>, <pattern>;

    count   = 1 - 255
    pattern = any string

Option Explanations

count

This dictates how many times a PII pattern must be matched for an alert to be generated. The count is tracked across all packets in a session.

pattern

This is where the pattern of the PII gets specified. There are a few built-in patterns to choose from:

credit_card

The "credit_card" pattern matches 15- and 16-digit credit card numbers. These numbers may have spaces, dashes, or nothing in between groups. This covers Visa, Mastercard, Discover, and American Express. Credit card numbers matched this way have their check digits verified using the Luhn algorithm.

us_social

This pattern matches against 9-digit U.S. Social Security numbers. The SSNs are expected to have dashes between the Area, Group, and Serial sections.

SSNs have no check digits, but the preprocessor will check matches against the list of currently allocated group numbers.

us_social_nodashes

This pattern matches U.S. Social Security numbers without dashes separating the Area, Group, and Serial sections.

email

This pattern matches against email addresses.

If the pattern specified is not one of the above built-in patterns, then it is the definition of a custom PII pattern. Custom PII types are defined using a limited regex-style syntax. The following special characters and escape sequences are supported:

\d	matches any digit
\D	matches any non-digit
\l	matches any letter
\L	matches any non-letter
\w	matches any alphanumeric character
\W	matches any non-alphanumeric character
{num}	used to repeat a character or escape sequence "num" times. example: "{3}" matches 3 digits.
?	makes the previous character or escape sequence optional. example: " ?" matches an optional space. This behaves in a greedy manner.
\\	matches a backslash
\{, \}	matches { and }
\?	matches a question mark.

Other characters in the pattern will be matched literally.

Note:   Unlike PCRE, \w in this rule option does NOT match underscores.

Examples

    sd_pattern: 2,us_social;

Alerts when 2 social security numbers (with dashes) appear in a session.

    sd_pattern: 5,(\d{3})\d{3}-\d{4};

Alerts on 5 U.S. phone numbers, following the format (123)456-7890

Whole rule example:

    alert tcp $HOME_NET $HIGH_PORTS -> $EXTERNAL_NET $SMTP_PORTS \
    (msg:"Credit Card numbers sent over email"; gid:138; sid:1000; rev:1; \
    sd_pattern:4,credit_card; metadata:service smtp;)

Caveats

sd_pattern is not compatible with other rule options. Trying to use other rule options with sd_pattern will result in an error message.

Rules using sd_pattern must use GID 138.