Jim McMillan
November 2009
Introduction
How can we use Snort IDS to detect sensitive information in clear text on our networks? In this FAQ, we will look at some Snort rules designed to detect clear text credit card numbers. With a little understanding of Snort rules, you could possibly use the same theory to detect other types of sensitive information, such as US Social Security Numbers (SSNs).
Before we build the Snort rules, we first need to understand a little about the format of the information we are looking for in our network traffic. Credit Card formats may be a little easier than other information, but it will give us a good idea of how to build Snort rules to detect specific information. Let's take look at the format of four major credit cards.
Credit Card Number Formats
The Visa card format is 16 digits long and starts with a "4". Examples include:
- 4xxx-xxxx-xxxx-xxxx
- 4xxx xxxx xxxx xxxx
- 4xxxxxxxxxxxxxxx
The MasterCard format is 16 digits long and starts with a "5". Examples include:
- 5xxx-xxxx-xxxx-xxxx
- 5xxx xxxx xxxx xxxx
- 5xxxxxxxxxxxxxxx
The Discover card format is 16 digits long and starts with "6011". Examples include:
- 6011-xxxx-xxxx-xxxx
- 6011 xxxx xxxx xxxx
- 6011xxxxxxxxxxxx
The American Express card format is 15 digits long and starts with a "3". Examples include:
- 3xxx-xxxxxx-xxxxx
- 3xxx xxxxxx xxxxx
- 3xxxxxxxxxxxxxx
