Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
17
Helpful
5
Replies

Confidential Data IDS Signatures? SSN, CC etc...

cory.michal
Level 1
Level 1

‎04-17-2007 08:57 AM - edited ‎03-10-2019 03:34 AM

Has anyone created any signatures for Cisco IDS sensors to detect things like Social Security Numbers, Credit Card numbers and other confidential information leaving the network? Obviously it would only be in unencrypted protocols but it seems like it may be useful. One off variants of the sigs could be customized for your particular organizations sensitive data.

Labels:
0 Helpful
5 Replies 5

rupadras
Cisco Employee
Cisco Employee

‎04-17-2007 10:23 AM

Hi Cory,

Here's how you can write signatures to detect Credit Card numbers and Social Security Numbers sent in clear text over email/web. There is a chance of false positives as mentioned below but you may be able to customize this to suit your needs.

1. Corporate credit card being sent over clear in email/ web:

If we are looking at Visa/Mastercard format, which is 1234 5678 1234 5678

To add some granularity, Visa numbers begin with 4 and Mastercard with 5, and can have dashes instead of spaces in between...

so the format will be

[45]234[\x20\x2d]5678[\x20\x2d]1234[\x20\x2d]5678

where \x20 is the hexadecimal number for space and \x2d for a dash (-)

If you consider Amex format, which is 1234 123456 12345 but the numbers begin with 3...

so the format is [3]234[\x20\x2d]123456[\x20\x2d]12345

Considering the above formats, the regex will be

[45][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9]

or

[3][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9]

in engine string-tcp to ports 25 and #WEBPORTS. The issue with this is...if there's something that matches the string, and it's not a credit card number, the signature will still fire.

The same note applies to social security numbers.

2. Social Security Numbers being sent in clear.

The regex will be [0-9][0-9][0-9][-][0-9][0-9][-][0-9][0-9][0-9][0-9]

in string-tcp to ports 25 and webports.

Any traffic that matches this pattern will fire the sig, hence there is a chance of false positives.

cory.michal
Level 1
Level 1
In response to rupadras

‎04-17-2007 11:02 AM

Excellent thanks.

0 Helpful

johnny_utah
Level 1
Level 1
In response to cory.michal

‎04-18-2007 05:16 AM

I now understand how to set up the regex in a custom signature for this. Thanks so much for that.

How do I monitor this custom signature once it is set up? I am running CS-MARS 4.2.

Will the IDS unit that fires the custom signature inform the MARS or the signature and its details?

Thanks in advance for any response.

0 Helpful

mhellman
Level 7
Level 7
In response to johnny_utah

‎04-18-2007 05:33 AM

If you want an incident in csmars whenever this signature fires an alarm, you will need to create a rule with a keyword to trigger on the alarms for that custom signature. custom signatures will be mapped as an "unknown device event type" in csmars. If the signature was 60005-0, you could create a rule that looks for a keyword of "NR-60005".

johnny_utah
Level 1
Level 1
In response to mhellman

‎04-18-2007 05:42 AM

Perfect!!

I will try this out right now.

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card