From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Date: Tue, 18 Oct 2022 11:04:32 +0000 (+0000)
Subject: Pull request #3618: lua: add sensitive data rules
X-Git-Tag: 3.1.45.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74a32411b53b29b49a6136646b00391053d26261;p=thirdparty%2Fsnort3.git

Pull request #3618: lua: add sensitive data rules

Merge in SNORT/snort3 from ~ASERBENI/snort3:sd_rules to master

Squashed commit of the following:

commit 741e150f8b4f542080b7c16dac283e3394afe142
Author: Andrii Serbeniuk <aserbeni@cisco.com>
Date:   Tue Oct 4 15:45:01 2022 +0300

    lua: add sensitive data rules

    Rules include sd_pattern option with the following built-in patterns used: credit_card, us_social, us_social_nodashes, email, us_phone.
    The rule set supports following services: http, smtp, ftp-data, imap, pop3.
---

diff --git a/lua/CMakeLists.txt b/lua/CMakeLists.txt
index 3c6c1ac80..04c1d4868 100644
--- a/lua/CMakeLists.txt
+++ b/lua/CMakeLists.txt
@@ -5,6 +5,7 @@ set (LUA_SCRIPTS
     file_magic.rules
     inline.lua
     max_detect.lua
+    sensitive_data.rules
     security.lua
     snort.lua
     snort_defaults.lua
diff --git a/lua/sensitive_data.rules b/lua/sensitive_data.rules
new file mode 100644
index 000000000..3a7b82927
--- /dev/null
+++ b/lua/sensitive_data.rules
@@ -0,0 +1,25 @@
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; flow:only_stream; pkt_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:1; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; file_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:2; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_uri; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:3; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_header; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:4; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_client_body; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:5; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:6; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; file_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:7; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_uri; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:8; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_header; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:9; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_client_body; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:10; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:11; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; file_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:12; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_uri; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:13; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_header; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:14; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_client_body; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:15; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; flow:only_stream; pkt_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:16; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; file_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:17; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_uri; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:18; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_header; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:19; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_client_body; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:20; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; flow:only_stream; pkt_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:21; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; file_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:22; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_uri; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:23; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_header; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:24; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_client_body; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:25; rev:1; )