Re: Snort Signature to detect credit cards

1 msg	[ GLSA 200805-06 ] Firebird: Data disclosure
1 msg	Oracle Application Server 10G ORA_DAV BasicAuth...
1 msg	Free IT Security Training
3 msg	Re: Out of Office AutoReply: Snort Signature to...
4 msg	Vacation reply
1 msg	browserrecon project
1 msg	FInal EUSecWest 2008 Speakers London May 21/22
1 msg	[ MDVSA-2008:099 ] - Updated ImageMagick packag...
1 msg	[USN-611-3] GStreamer Good Plugins vulnerability
1 msg	[USN-611-2] vorbis-tools vulnerability
1 msg	FLEA-2008-0008-1 firefox
1 msg	[USN-611-1] Speex vulnerability
1 msg	n3td3v is a ...?

Snort Signature to detect credit cards
\ wilder_jeff Wilder (8 May 2008)
. \ Ivan . (8 May 2008)
. \ Christopher Jacob (9 May 2008)
. \ Ray P (9 May 2008)
. . \ Simon Smith (9 May 2008)
. . . \ Randal T. Rioux (9 May 2008)
. . . . \ T Biehn (9 May 2008)
. . . . \ Siim Põder (9 May 2008)
. . . \ poo (9 May 2008)
. . . . \ Ureleet (12 May 2008)

1 msg	DNFTT
1 msg	SonicWall e-mail security Host Header XSSVulner...
1 msg	ZYWALL Referer Header XSS Vulnerability
6 msg	Happy Birthday Israel!
6 msg	unsubscribing
1 msg	Gangbanging N3t4rse

Subject:	Re: Snort Signature to detect credit cards
Group:	Full-disclosure
From:	Siim Põder
Date:	9 May 2008

Randal T. Rioux wrote:
> FYI - http://www.emergingthreats.net
>
> This was discussed on the snort-sigs mailing list back in 2003. Check out
> http://marc.info/?l=snort-sigs&m=106601612825950&w=2
>
> Also, as Ray mentioned, the Emerging Threats emerging-policy.rules
> contains some PCRE CC# checks. This will show you some:

I wrote a dynamic plugin for detecting CC numbers (requires snort 2.6+):

http://p6drad-teel.net/~windo/release/creditcard.tar.gz

It checks prefixes (visa/amex/etc), number length and the luhn code (the
last digit) + allows arbitrary grouping by dashes and/or spaces.

Siim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/