Snort is widely used as an intrusion detection system (IDS). However it can also be used to detect leakage of sensitive data just like any other DLP tool. When configured properly, Snort can detect many types of unencrypted data including but not limited to the following:
- Social Security Numbers with or without dashes
- Credit Card Numbers
- Email addresses
Custom Patterns can also be defined to detect any type of text strings like phone numbers, date of birth, zip codes, etc.
The configuration process is quite simple and involves two basic steps:
- Enable “Sensitive Data Preprocessor” in the main startup configuration file.
- Write rules that perform logging or alerting when a pattern is detected.
Snort comes with a number of keywords that can be used in Snort rules for detecting different types of patterns.
Enable Sensitive Data Preprocessor
To enable this pre-processor, add the following line to main snort configuration file (usually snort.conf)
preprocessor sensitive_data: alert_threshold 10
This will enable the preprocessor and set a threshold of 10 records for generating alerts.
Snort rules can be written to take specific actions when a specific pattern is detected. The following rule will send an alert when it sees a social security number in email going to an outside host. Note that $HOME_NET, $EXTERNAL_NET, and $SMTP_PORTS are variables in snort.conf file and assigned range of IP addresses or port numbers.
alert tcp $HOME_NET any -> $EXTERNAL_NET $SMTP_PORTS (msg: “SSN sent via email”; gid:138; sid:5001; rev:2 ; sd_pattern:1,us_social;)
Similar rules can be written for detecting other types of data including credit card numbers for PCI compliance.
The sensitive data pre-processor can be configured to mask sensitive data from logs/alerts with the following configuration.
preprocessor sensitive_data: alert_threshold 10 mask_output
Data masking is useful to avoid placing sensitive data in logs and alerts.
In summary, Snort can be a great tool for DLP and compliance in addition to regular IDS implementation. In fact, just by adding new rules, a standard Snort IDS can be used to detect unencrypted PII data.