Last Chance for a MacBook Air or $650 Off with SANS Online Training - Ends August 3

IDFAQ: Using Snort to Detect Clear Text Credit Card Numbers

Jim McMillan
November 2009

Introduction

How can we use Snort IDS to detect sensitive information in clear text on our networks? In this FAQ, we will look at some Snort rules designed to detect clear text credit card numbers. With a little understanding of Snort rules, you could possibly use the same theory to detect other types of sensitive information, such as US Social Security Numbers (SSNs).

Before we build the Snort rules, we first need to understand a little about the format of the information we are looking for in our network traffic. Credit Card formats may be a little easier than other information, but it will give us a good idea of how to build Snort rules to detect specific information. Let's take look at the format of four major credit cards.

Credit Card Number Formats

The Visa card format is 16 digits long and starts with a "4". Examples include:

  • 4xxx-xxxx-xxxx-xxxx
  • 4xxx xxxx xxxx xxxx
  • 4xxxxxxxxxxxxxxx

The MasterCard format is 16 digits long and starts with a "5". Examples include:

  • 5xxx-xxxx-xxxx-xxxx
  • 5xxx xxxx xxxx xxxx
  • 5xxxxxxxxxxxxxxx

The Discover card format is 16 digits long and starts with "6011". Examples include:

  • 6011-xxxx-xxxx-xxxx
  • 6011 xxxx xxxx xxxx
  • 6011xxxxxxxxxxxx

The American Express card format is 15 digits long and starts with a "3". Examples include:

  • 3xxx-xxxxxx-xxxxx
  • 3xxx xxxxxx xxxxx
  • 3xxxxxxxxxxxxxx

Snort Rules