sd_pattern

The sd_pattern rule option detects and filters Personally Identifiable Information (PII) and other sensitive information, such as credit card numbers, U.S. Social Security numbers, and email addresses.

This rule option has just one required argument, which is the specific pattern to detect. Snort has three built-in patterns:

  • "credit_card",
  • "us_social"
  • "us_social_nodashes",

If used in the rule option, Snort will replace those strings with the actual patterns themselves.

Snort users can also define their own patterns by including a PCRE-compatible regular expression as the argument instead. The pattern argument will be enclosed in double quotes, regardless if it's a built-in pattern or not. If a built-in one is used, however, Snort will replace it with the appropriate pattern and then validate that data in the packet matches it.

There exists also one optional argument that can be added after the pattern string: threshold. By default, sd_pattern looks for just one instance of the pattern before firing, but users can specify the threshold argument to require that there are multiple hits on that pattern in a single packet before firing. The format of this option can be seen in the format section below.

Note: The sd_pattern rule option uses the hyperscan engine to perform pattern matching, meaning Snort must be built with the hyperscan libraries to use it.

Obfuscating PII

By default, Snort will not obfuscate credit card and social security numbers when outputting packet data to logs. However, users can enable obfuscation with the ips.obfuscate_pii configuration, which will mask all but the last four characaters of credit card and social security numbers. Enabling this is as easy as setting this configuration option to true, either in a Snort config or on the command line.

Here's an example showcasing how this works. Consider a credit card number that is "5555555555554444". Looking for sd_pattern:"credit_card"; in a rule and outputting the alerts as cmg will produce the following output:

$ snort -q -r cc.pcap -R local.rules -A cmg
10/19-10:29:55.494550 [**] [1:1:0] "credit card found" [**] [Priority: 0] {TCP} 10.1.2.3:50284 -> 10.9.8.7:1234
02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46
10.1.2.3:50284 -> 10.9.8.7:1234 TCP TTL:64 TOS:0x0 ID:3 IpLen:20 DgmLen:56
***A**** Seq: 0x2  Ack: 0x2  Win: 0x2000  TcpLen: 20

snort.raw[16]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
35 35 35 35 35 35 35 35  35 35 35 35 34 34 34 34  55555555 55554444
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

However, we can enable obfuscation and conceal the credit card number with the above configuration setting:

$ snort -q -r cc.pcap -R local.rules -A cmg --lua 'ips.obfuscate_pii = true'
10/19-10:29:55.494550 [**] [1:1:0] "credit card found" [**] [Priority: 0] {TCP} 10.1.2.3:50284 -> 10.9.8.7:1234
02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46
10.1.2.3:50284 -> 10.9.8.7:1234 TCP TTL:64 TOS:0x0 ID:3 IpLen:20 DgmLen:56
***A**** Seq: 0x2  Ack: 0x2  Win: 0x2000  TcpLen: 20

snort.raw[16]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
58 58 58 58 58 58 58 58  58 58 58 58 34 34 34 34  XXXXXXXX XXXX4444
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

We should note, however, that log obfuscation is only applicable to CMG and Unified2 logging formats and that it doesn't support user defined PII patterns.

Format:

sd_pattern:"pattern"[, threshold count];

Examples

# matches all credit card patterns 
sd_pattern:"credit_card";
# matches likely email addresses for the site "ourdomain.com"
sd_pattern:"\b\w+@ourdomain\.com\b";
# look for that string literal 300 times before firing
sd_pattern:"This is a string literal", threshold 300;