Confidential Data IDS Signatures? SSN, CC etc...

Unanswered Question
Apr 17th, 2007

Has anyone created any signatures for Cisco IDS sensors to detect things like Social Security Numbers, Credit Card numbers and other confidential information leaving the network? Obviously it would only be in unencrypted protocols but it seems like it may be useful. One off variants of the sigs could be customized for your particular organizations sensitive data.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
rupadras Tue, 04/17/2007 - 10:23

Hi Cory,

Here's how you can write signatures to detect Credit Card numbers and Social Security Numbers sent in clear text over email/web. There is a chance of false positives as mentioned below but you may be able to customize this to suit your needs.

1. Corporate credit card being sent over clear in email/ web:

If we are looking at Visa/Mastercard format, which is 1234 5678 1234 5678

To add some granularity, Visa numbers begin with 4 and Mastercard with 5, and can have dashes instead of spaces in between...

so the format will be

[45]234[\x20\x2d]5678[\x20\x2d]1234[\x20\x2d]5678

where \x20 is the hexadecimal number for space and \x2d for a dash (-)

If you consider Amex format, which is 1234 123456 12345 but the numbers begin with 3...

so the format is [3]234[\x20\x2d]123456[\x20\x2d]12345

Considering the above formats, the regex will be

[45][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9]

or

[3][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9]

in engine string-tcp to ports 25 and #WEBPORTS. The issue with this is...if there's something that matches the string, and it's not a credit card number, the signature will still fire.

The same note applies to social security numbers.

2. Social Security Numbers being sent in clear.

The regex will be [0-9][0-9][0-9][-][0-9][0-9][-][0-9][0-9][0-9][0-9]

in string-tcp to ports 25 and webports.

Any traffic that matches this pattern will fire the sig, hence there is a chance of false positives.

johnny_utah Wed, 04/18/2007 - 05:16

I now understand how to set up the regex in a custom signature for this. Thanks so much for that.

How do I monitor this custom signature once it is set up? I am running CS-MARS 4.2.

Will the IDS unit that fires the custom signature inform the MARS or the signature and its details?

Thanks in advance for any response.

mhellman Wed, 04/18/2007 - 05:33

If you want an incident in csmars whenever this signature fires an alarm, you will need to create a rule with a keyword to trigger on the alarms for that custom signature. custom signatures will be mapped as an "unknown device event type" in csmars. If the signature was 60005-0, you could create a rule that looks for a keyword of "NR-60005".

Actions

This Discussion