04-17-2007 08:57 AM - edited 03-10-2019 03:34 AM
Has anyone created any signatures for Cisco IDS sensors to detect things like Social Security Numbers, Credit Card numbers and other confidential information leaving the network? Obviously it would only be in unencrypted protocols but it seems like it may be useful. One off variants of the sigs could be customized for your particular organizations sensitive data.
04-17-2007 10:23 AM
Hi Cory,
Here's how you can write signatures to detect Credit Card numbers and Social Security Numbers sent in clear text over email/web. There is a chance of false positives as mentioned below but you may be able to customize this to suit your needs.
1. Corporate credit card being sent over clear in email/ web:
If we are looking at Visa/Mastercard format, which is 1234 5678 1234 5678
To add some granularity, Visa numbers begin with 4 and Mastercard with 5, and can have dashes instead of spaces in between...
so the format will be
[45]234[\x20\x2d]5678[\x20\x2d]1234[\x20\x2d]5678
where \x20 is the hexadecimal number for space and \x2d for a dash (-)
If you consider Amex format, which is 1234 123456 12345 but the numbers begin with 3...
so the format is [3]234[\x20\x2d]123456[\x20\x2d]12345
Considering the above formats, the regex will be
[45][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9]
or
[3][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9][0-9][\x20\x2d][0-9][0-9][0-9][0-9][0-9]
in engine string-tcp to ports 25 and #WEBPORTS. The issue with this is...if there's something that matches the string, and it's not a credit card number, the signature will still fire.
The same note applies to social security numbers.
2. Social Security Numbers being sent in clear.
The regex will be [0-9][0-9][0-9][-][0-9][0-9][-][0-9][0-9][0-9][0-9]
in string-tcp to ports 25 and webports.
Any traffic that matches this pattern will fire the sig, hence there is a chance of false positives.
04-17-2007 11:02 AM
Excellent thanks.
04-18-2007 05:16 AM
I now understand how to set up the regex in a custom signature for this. Thanks so much for that.
How do I monitor this custom signature once it is set up? I am running CS-MARS 4.2.
Will the IDS unit that fires the custom signature inform the MARS or the signature and its details?
Thanks in advance for any response.
04-18-2007 05:33 AM
If you want an incident in csmars whenever this signature fires an alarm, you will need to create a rule with a keyword to trigger on the alarms for that custom signature. custom signatures will be mapped as an "unknown device event type" in csmars. If the signature was 60005-0, you could create a rule that looks for a keyword of "NR-60005".
04-18-2007 05:42 AM
Perfect!!
I will try this out right now.
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: