From 2bc517dda0b345adab50f723bd2755f97c6f1fd6 Mon Sep 17 00:00:00 2001 From: "Russ Combs (rucombs)" Date: Wed, 30 Nov 2016 21:09:43 -0500 Subject: [PATCH] Merge pull request #730 in SNORT/snort3 from sdf-doc to master Squashed commit of the following: commit 8944a32cad0a92c79c3b7ff2a546c8b55880316c Author: Victor Roemer Date: Wed Nov 30 10:50:26 2016 -0500 SDF-Doc take 2 --- doc/CMakeLists.txt | 5 +++-- doc/Makefile.am | 5 +++-- doc/sensitive_data.txt | 14 +++++--------- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 3822976e0..9584239ec 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -36,8 +36,8 @@ set ( building.txt daq.txt differences.txt - errors.txt enviro.txt + errors.txt extending.txt features.txt file_processing.txt @@ -45,14 +45,15 @@ set ( params.txt perf_monitor.txt reference.txt + sensitive_data.txt snort2lua.txt - snorty.png snort2x.png snort3x.png snort_manual.html snort_manual.pdf snort_manual.text snort_manual.txt + snorty.png start.txt style.txt terms.txt diff --git a/doc/Makefile.am b/doc/Makefile.am index 9c74a41e2..c4ff88c3d 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -38,11 +38,12 @@ overview.txt \ params.txt \ perf_monitor.txt \ reference.txt \ -snort_manual.txt \ +sensitive_data.txt \ snort2lua.txt \ -snorty.png \ snort2x.png \ snort3x.png \ +snort_manual.txt \ +snorty.png \ start.txt \ style.txt \ terms.txt \ diff --git a/doc/sensitive_data.txt b/doc/sensitive_data.txt index 016147c1e..52c68eb58 100644 --- a/doc/sensitive_data.txt +++ b/doc/sensitive_data.txt @@ -1,12 +1,8 @@ -=== Overview - The `sd_pattern` IPS option provides detection and filtering of Personally Identifiable Information (PII). This information includes credit card numbers, U.S. Social Security numbers, and email addresses. A rich regular expression syntax is available for defining your own PII. -=== Dependencies - ==== Hyperscan The `sd_pattern` rule option is powered by the open source Hyperscan @@ -14,7 +10,7 @@ library from Intel. It provides a regex grammar which is mostly PCRE compatible. To learn more about Hyperscan see http://01org.github.io/hyperscan/dev-reference/ -=== Syntax +==== Syntax Snort provides `sd_pattern` as IPS rule option with no additional inspector overhead. The Rule option takes the following syntax. @@ -51,8 +47,8 @@ regex, '\b' matches a word boundary (whitespace, end of line, non-word characters) and '\w+' matches one or more word characters. '\.' matches a literal '.'. -The above pattern would match "a@ourdomain.com", "aa@ourdomain.com" but -would not match "1@ourdomain.com", "ab12@ourdomain.com" or "@ourdomain.com". +The above pattern would match "a@ourdomain.com", "aa@ourdomain.com" but would +not match `1@ourdomain.com` `ab12@ourdomain.com` or `@ourdomain.com`. Note: This is just an example, this pattern is not suitable to detect many correctly formatted emails. @@ -75,7 +71,7 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299x in a packet, you will not see an even. -==== Obfuscating Credit Cards and Social Security Numbers +===== Obfuscating Credit Cards and Social Security Numbers Snort provides discreet logging for the built in patterns "credit_card", "us_social" and "us_social_nodashes". Enabling `output.obfuscate_pii` makes @@ -87,7 +83,7 @@ patterns. This configuration is disabled by default. obfuscate_pii = true } -===== Example +==== Example A complete Snort IPS rule -- 2.47.2